Dive Brief:
-
Facebook is testing an account recovery feature for other websites called Delegated Recovery wherein a person’s online identity would revolve around their Facebook profile rather than their email address, TechCrunch reports.
-
There are technical reasons why recovery emails used for logins aren't secure, according to Facebook security engineer Brad Hill at the USENIX Enigma conference. "Email security doesn’t have the greatest reputation right now. It’s the single point of failure for everything you do online.”
-
Delegated Recovery instead allows Facebook users to set up encrypted recovery tokens for sites like Github and store them on Facebook. The feature is now available for testing through GitHub.
Dive Insight:
Security experts have warned about weaknesses of two-factor authentication for years. Traditional account recovery methods are just not all that secure. Security questions can be compromised, or a password recovery link can be sent to a user’s compromised email. And if a user loses the device tied to their account, they're often out of luck completely.
Using Facebook’s proposed new approach, users skip email altogether and use encrypted recovery tokens stored on Github or other sites instead.
Facebook is currently allowing security researchers to test the application for vulnerabilities. Given the heightened concerns over security, the approach might just offer an alternative option for those less inclined to rely on email.
