Facebook has forgetting passwords as something that troubles users most and has thus devised a remedy. The new service will make it possible for users who lose their GitHub login credentials to be able to securely regain access to their accounts. The process takes just a few seconds and a handful of clicks over encrypted HTTPS Web links.
No sharing of personal information
To use the service, Facebook users are required to create a GitHub recovery token in advance and save it within their Facebook account. If they lose their GitHub login credentials, they can re-authenticate to Facebook, which will send the token to GitHub with a time-stamped signature on users’ requests. The GitHub account will be restored once the request is sent.
Even Facebook will not be able to read any of the personal information stored in the token, as it is encrypted. During the process, no exchange or sharing of personal information takes place between Facebook and GitHub, except the assertion from Facebook that the person recovering the GitHub account is the same who saved the token, notes ArsTechnica.
How is Facebook’s service better?
The social network’s new service aims to eliminate the hassle and significant insecurity found in most account recovery systems. Answering security questions such as a person’s favorite sport or favorite pizza topping is a common recovery method, but it is easy to guess such questions. Hence, they are not very safe.
Other recovery methods include delivering security tokens by e-mail or SMS text message, but they lack the kind of end-to-end encryption which is expected and needed for secure communications. The new service can be rate-limited, unlike a compromised e-mail account, which can be used to gain access to dozens of online accounts controlled by the owner, notes ArsTechnica.
Centralizing all password recovery with Facebook sounds scary
Some people might be apprehensive about the idea of centralizing all their password recovery with Facebook. The company’s security engineer, Brad Hill, however, says that the protocol is not exclusive to the social networking service.
“I hope you do trust Facebook, but first of all, we’re opening up this protocol. You’ll be able to choose the accounts you trust, not just Facebook, to do secure recovery,” said Hill.
He added that the company hopes to create a “diverse ecosystem” in which any site can rely on multiple trusted sources for account recovery. The engineer compared it with OAuth, which is an open standard that allows third-party applications to access services such as a user’s account without the risk of handling sensitive password information.
