Facebook’s new Delegated Account Recovery service, announced Tuesday at the company’s annual F8 developer’s conference in San Jose, CA, provides a new way to re-gain access to online accounts that may be safer than using an email address.
Almost everyone has forgotten a password at some point, and they usually have to enter their recovery email address to have a password change link sent to their inbox, or answer security questions they set up in the past. However, Facebook thinks that it can provide a better experience, and up the security in the process.
Companies start by creating a secure token, and sending that token to Facebook. If a user is locked out of his or her account for the connected service, Facebook will then take them through a re-authentication process, where they must prove their identity, according to a Facebook blog post.
If the user convinces Facebook of their identity, the token will be sent back to the company with a new cryptographic signature from Facebook, the post said. Because the token stays “sealed” the whole time, Facebook doesn’t have access to the user’s credentials for the site it is working with.
“People using this system can maintain access to their accounts without compromising their security or disclosing personal information like their name or email address,” the post said.
According to the blog post, email wasn’t designed with security in mind, which doesn’t make it the best option for account recover. But, the post said, Facebook’s new service was “built with a modern threat model” in mind, and utilizes Facebook’s other security features.
In addition to mandating cryptographic protections for the tokens, the rate at which accounts can be recovered will also be limited. Also, if you recently had to recover your Facebook account, that will also limit your ability to recover other linked accounts, the post said.
If the recover link between the participating company and Facebook is broken, Facebook will provide a webhook callback. Users can also store data in their security tokens, but Facebook will never have access to the tokens, the post said.
The service was initially announced in January, but the firm has since published SDKs, documentation, and example applications used with the service. It is currently in closed beta, but users can get more information on its webpage, here.
Source: TechRepublic Link: http://www.techrepublic.com/article/facebook-offers-account-recovery-service-thats-more-secure-than-email/