Facebook's Delegated Recovery Method Tries to Improve Upon Two-Factor Authentication

Facebook has announced a new recovery tool, called Delegated Recovery, which aims to help users in improving their account security. The social media networking site has released the new feature in collaboration with GitHub in a limited manner in order to get customer feedback but has shared the protocol behind this feature so that more services can adopt the recovery design going ahead. Notably, the company last week added a NFC-based two-factor authentication, alongside support for physical security keys.

The Delegated Recovery method is being demonstrated on GitHub, and makes use of encrypted tokens that are stored in users' Facebook accounts. These allow users to get back into their GitHub account in case they lose access. As these tokens are encrypted, Facebook says that it cannot read users' personal information. The tool is said to be an additional authentication method that can supplement two-factor authentication.

Facebook Launches NFC-Based Two Factor Authentication Process for Added Security

"If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature. Facebook doesn't share your personal data with GitHub, either; they only need Facebook's assertion that the person recovering is the same who saved the token, which can be done without revealing who you are," Facebook said in a note on its website.

The social networking firm says that going ahead, it wants to give users' the option of recovering access to their Facebook account using other accounts such as GitHub. The company wants to essentially improve upon the traditional password recovery tools such as security questions, which it says are inconvenient as well as risky.

"Recovery emails and SMS messages are common alternatives, and while they can get the job done, both are showing their age: neither offers the end-to-end security guarantees we expect from modern protocols," it added.

"GitHub maintains direct control of how it authenticates its users, how it assesses password strength and other risk signals, and how it deploys a diverse set of two-factor authentication methods.

So what do you do if you lose access to the phone number or security keys you use at GitHub? An email address alone can't provide the same level of two-factor authentication to recover access, so starting Tuesday, you'll be able to use your Facebook account to provide additional authentication as part of the recovery process at GitHub," the company elaborated on the motive behind the method.

The new feature has also been associated with Facebook's bug bounty programs to allow researchers to find out the existing flaws and vulnerabilities in the new recovery method. Considering that tokens for all supported websites will be stored in your Facebook account, it is likely to become a hub of users' online account information.