Facebook expands delegated account recovery in a play for the next billion users

Facebook is expanding a new account recovery tool it debuted in January that allows other sites such as GitHub to establish encrypted account recovery tokens that are stored by Facebook. When a user loses their GitHub password and gets locked out of their account, he sends the recovery token from Facebook back to GitHub, proving his identity.

It’s a slick security feature that will be an easy sell for privacy pros, but it’s also a crucial component of Facebook’s strategy to make sure the next billion internet users center their online experiences around Facebook.

At the F8 developer conference today, Facebook is releasing SDKs and documentation that will allow developers aside from GitHub to set up Delegated Account Recovery for their own test users. Once the setup is in place, developers can apply to Facebook’s beta program and start making the feature available to their users.

Delegated Account Recovery is designed to make account recovery more secure. If you’ve ever forgotten a password (and who hasn’t?) you know the recovery process usually involves a link sent to your email or a security code texted to your phone. But email can easily be compromised if a user’s password has been included in a data breach or if they’ve fallen for a phishing scheme, and texted security codes can get lost in transmission if you’ve upgraded to a new phone or changed your number.

“The system is designed to be resilient even to large scale data dumps of email and user databases that have become too common. With independently held cryptographic keys needed to use them, recovery tokens offer a level of security that we don’t see from email,” Facebook security engineer Brad Hill explained in a blog post. Here’s how the recovery flow works:

But even if the highest level of account security isn’t a selling point for some users, Hill gave me a succinct and compelling pitch for why Delegated Account Recovery is better than other methods when he debuted the feature back in January: “We can get you back into your account even if you drop your phone off the boat.”

Facebook launched the feature with GitHub, whose users are inclined to be more technical and can more easily navigate the set-up process. Now that Facebook is expanding Delegated Account Recovery to other sites, it will need to sell developers on the idea that the extra set-up hurdles — and the association with Facebook — is worth the switch from email.

Some online retailers might be quick to adopt Delegated Account Recovery, but it’s easy to imagine Amazon, Google or Twitter being resistant to the idea. That’s part of why the project is open source: other companies could establish themselves as identity hubs, too. “Eliminating fraud is a shared goal, not a competitive space,” Hill said. “Having multiple providers will be helpful to this ecosystem.” If the ecosystem grows, security could expand too. Users could store recovery tokens for encrypted data across several different sites, so a user would need to prove access to multiple accounts in order to decrypt the data.

Getting other companies to participate, either by storing recovery tokens with Facebook or issuing tokens themselves, will help Facebook grow outside the U.S. and Europe, where email recovery is already uncommon.

“Facebook user surveys are revealing a decline in the use of personal email and a growing preference for phone number as an account identifier. In some parts of Africa and the Asia Pacific region, the preference for phone number over email is as high as 70%,” Hill explained. “And in many of those same places where phone number is most popular, it is also a very unstable identifier. People often have multiple SIMs cards, switch numbers frequently to get a better deal, and treat phone numbers as spam collection accounts like people in English-speaking markets often do with email.”

Because users in these markets are abandoning email in exchange for phone numbers as their primary identity hub, Facebook needs to follow that trend. Establishing itself as the keyholder for users’ online identities gives Facebook continuity, even as its users abandon SIM cards or change email addresses. Like Internet.org, Facebook’s program to provide free access to some internet services, Delegated Account Recovery could make Facebook a foundational part of the online experience for the next billion users.

“If you depend on email for recovery, you’re going to miss connecting with a lot of people. And, if you are signing people up to your service with a phone number, it is critical you have a way to recover when that number changes,” Hill added.

If Facebook can instigate wide adoption of Delegated Account Recovery, it will be a win for user security inside and outside of Facebook, as well as for the company’s expansion plans. Now that the feature is open to developers outside GitHub, we’ll see how widely it will be adopted.