Facebook challenges email for control of your online identity

Getting locked out of your account sucks. Almost everyone has experienced the frustration of forgetting a password, losing the phone on which they receive two-factor authentication codes, or jumbling the answer to a security question.

But as exasperating as it is to lose access to your account, none of the widely-available measures for account recovery are very secure. Major breaches like the recently-disclosed Yahoo hacks often include not only passwords but also answers to security questions, which hackers can recycle across other sites to compromise your accounts. Many sites will respond to a lost password report by sending a recovery link to the user’s email, which could itself be compromised.

Facebook wants to fix the process of account recovery — and replace email as the hub of online identity management in the process.

Facebook security engineer Brad Hill announced today at the USENIX Enigma conference that his company is launching an account recovery feature for other websites called Delegated Recovery. Facebook will let users set up encrypted recovery tokens for sites like Github, and if a user ever loses access to her Github account, she will send the stored token from her Facebook profile back to Github, proving her identity and unlocking her account. Encryption of the token provides privacy — Facebook can’t read the information stored in the token, and it won’t share information about your identity with third-party websites.

“No matter what kind of site you are, you have to deal with the issue that someone will lose their password or their token,” Hill told TechCrunch, pointing out some of the flaws with SMS two-factor authentication and password reset emails. “We can get you back into your account even if you drop your phone off the boat.”

Delegated Recovery isn’t just a security feature — it’s a way for Facebook to convince users to center their online identity around their Facebook profile, rather than their email address. Account recovery has typically revolved around the email you use to register for all your online accounts, where you’ll receive a password reset email if you get locked out.

“There’s a lot of technical reasons why recovery emails aren’t that secure. Email security doesn’t have the greatest reputation right now. It’s the single point of failure for everything you do online,” Hill explained.

By moving account recovery to an encrypted token system on Facebook, the company can offer improved security and elbow email out of its way in the process.

Facebook’s account recovery feature will be available in a limited trial with Github, starting tomorrow. The feature will be part of Facebook’s bug bounty program, allowing security researchers to test it and point out vulnerabilities. The tool is being released as open-source, allowing other websites to implement it.

“We’re building this and giving it away because recovery is a problem every online service shares. Recovery isn’t a product, it’s a foundation. Secure access is the foundation on which we build all our other products,” Hill told the Enigma audience.