Forgetting your password is one thing but being locked out of your account is another.
The frustration everyone has when they lose access to their accounts is unfathomable, especially if there are important contacts or documents in it. This problem seems to happen to most of the people today and in addition to that is the not-so-secure recovery process for accounts.
With hacks and breaches targeting Yahoo, Gmail and the likes, every user whose accounts are connected to it are in trouble. The answers to the security questions can now be hacked by attackers and even the recovery link sent to the user’s email when changing a lost or forgotten password can be breached as well.
Facebook doesn’t want this to happen anymore. They’ve been upping their game for the security of all the Facebook accounts, adding more security measures to prevent hackings and allow users to access their accounts back.
“We need something better — a way to recover access, using identities and services you trust, regardless of whether they are associated with an email address or a phone number,” Hill said.
During the USENIX Enigma conference, Facebook Security Engineer Brad Hill introduced a feature that allows users to regain access to their accounts without the use of emails or security questions.
The new feature Delegated Recovery works through the encryption of recovery tokens for any sites that supports the feature (which is only GitHub FOR NOW). The process is that whenever the login credentials are forgotten, the user must simply access Facebook, send the stored token back, prove their identity and unlock the account. The information within the token is encrypted and not even Facebook can open it.
“No matter what kind of site you are, you have to deal with the issue that someone will lose their password or their token, we can get you back into your account even if you drop your phone off the boat.” Hill added.
Currently on a limited trial with Github, Delegated Recovery is under Facebook’s bug bounty program which gives security researchers the time to seek flaws and potential vulnerabilities with the feature. At the same time, it is also being open-sourced for other websites to join the service.
“We’re building this and giving it away because recovery is a problem every online service shares. Recovery isn’t a product, it’s a foundation. Secure access is the foundation on which we build all our other products.”