Improving account security with delegated recovery

By Brad Hill, Facebook Security Engineer

January 31, 2017

Last week, Facebook announced support for U2F Security Keys, to help keep accounts secure with our second-factor authentication feature called login approvals.

This is part of a larger story of industry investment and innovation around improving, and perhaps even replacing, the password. The truth is, technologies for login authentication like FIDO are only half of the story needed to keep accounts secure. The other half is account recovery—specifically, how do you regain access to your account if you lose your password, phone, or security key?

So-called “security questions” are widely acknowledged as both inconvenient and risky. They tend to be re-used across different accounts, making them even more dangerous than shared passwords. Recovery emails and SMS messages are common alternatives, and while they can get the job done, both are showing their age: neither offers the end-to-end security guarantees we expect from modern protocols, and these methods are becoming less reliable as the next billion people are getting online for the first time.

We need something better—a way to recover access, using identities and services you trust, regardless of whether they are associated with an email address or a phone number. This process needs to be easy, secure, and respectful of your privacy.

Some tools like Facebook Login and Trusted Contacts are part of the solution, but not every site uses the same features. Consider GitHub, a collaborative software development platform that hosts some of the most popular software in the world, including Facebook's own open source projects like React and osquery. GitHub maintains direct control of how it authenticates its users, how it assesses password strength and other risk signals, and how it deploys a diverse set of two-factor authentication methods.

So what do you do if you lose access to the phone number or security keys you use at GitHub? An email address alone can't provide the same level of two-factor authentication to recover access, so starting Tuesday, you'll be able to use your Facebook account to provide additional authentication as part of the recovery process at GitHub. You'll need to set up this method in advance by saving a recovery token with your Facebook account. A recovery token is encrypted so Facebook can't read your personal information. If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature. Facebook doesn't share your personal data with GitHub, either; they only need Facebook's assertion that the person recovering is the same who saved the token, which can be done without revealing who you are.

This can happen in just a few clicks in your browser, all over HTTPS.

We're releasing this feature in a limited fashion with GitHub so we can get feedback from the security community, including participants in our bug bounty programs. Not only will our implementation be immediately in-scope for our bounty programs, but Facebook and GitHub will jointly reward security issues reported against the specification itself, according to our impact criteria. We would like to see more services adopt this account recovery design over the long run, so we are publishing the protocol behind this feature today on our open source site at GitHub:

Both Facebook and GitHub plan to publish open source reference implementations of the protocol in various programming languages to make it easy to build secure and privacy-preserving connections among your accounts and ensure you never lose access.

Soon, we hope to open the ability for any service to improve its account recovery experience using Facebook. We also want to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook.

Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts.

Our growth in the fourth quarter was exceptional -- with revenues up 22% year on year and 24% on a constant currency basis. This performance was led by mobile search and YouTube. We’re seeing great momentum in Google’s newer investment areas and ongoing strong progress in Other Bets,” said Ruth Porat, CFO of Alphabet.

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement