Facebook has created a new authentication feature that’s designed to securely help GitHub users recover their accounts should they lose access.
Beginning on 31 January, members of the online project hosting service will be able to recover access to their accounts via their social media profile. All they need to do is set up a recovery token with the social networking service. They can then re-authenticate themselves using that token at any time.
Brad Hill, a security engineer at Facebook, explains more in a blog post:
“You’ll need to set up this method in advance by saving a recovery token with your Facebook account. A recovery token is encrypted so Facebook can’t read your personal information. If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature. Facebook doesn’t share your personal data with GitHub, either; they only need Facebook’s assertion that the person recovering is the same who saved the token, which can be done without revealing who you are.”
The social media giant has designed this feature to improve upon common account recovery techniques. In its logic, an attacker can easily guess a target user’s security answers if they’ve done a bit of research. And while authentication via email or a SMS code is convenient, these methods assume that an attacker hasn’t compromised a user’s email account or mobile device.
Facebook hopes this new method will let users easily and securely authenticate themselves regardless of whether they have access to their email or phone. That’s why it’s piloting the recovery token with GitHub in the expectation that the security community will provide meaningful feedback and report any vulnerabilities. If everything works out, the social networking company plans to begin designing recovery tokens for other web services.
Hill has hopes this new feature will revolutionize the account recovery process:
“Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts.”
Facebook’s trial of recovery tokens comes less than a week after the social media giant announced physical security keys as a viable means of identity verification for its users.