Facebook introduces delegated recovery to replace passwords, security questions

Facebook has introduced login approvals for users to regain access to accounts if they can’t access phone numbers or security keys. Facebook account owners can now use the Facebook platform to reset passwords for other websites. As of Tuesday, GitHub account holders can use their Facebook accounts as extra authentication in the recovery process, announced Brad Hill, Security Engineer at Facebook.

The new feature, named “delegated recovery,” aims to improve the account recovery experience and privacy by making it difficult for hackers to exploit. This strategy is part of a larger industry push to deploy two-factor authentication across all channels and get rid of the traditional password and outdated security questions.

Like passwords, security questions are often weak and outdated. They are often reused for multiple accounts and can’t be considered safe anymore.

Texts and recovery emails might be slightly more reliable, yet “both are showing their age: neither offers the end-to-end security guarantees we expect from modern protocols, and these methods are becoming less reliable as the next billion people are getting online for the first time,” explained Hill.

The security community and bug bounty program members are counted on for feedback on the feature, this being an important reason for releasing the feature with GitHub.

“We’re releasing this feature in a limited fashion with GitHub so we can get feedback from the security community, including participants in our bug bounty programs,” said Hill.

The protocol behind the feature is available on GitHub.

Leave a Reply