​Facebook wants to kill account recovery security questions

Facebook has released an token-based account recovery tool that it contends is safer, faster and more secure than security questions and email or SMS messages for account recovery.

Facebook is using its clout with developers and massive user-base to solve account recovery challenges affecting for all websites that rely on user passwords to control access. If the tool catches on with developers, it could also further Facebook's role as a provider of online identities.

Existing account recovery processes are a well-known and unsolved problem. The worst sites still send your password in the clear or unencrypted to your email account, which could be compromised. But even the more secure option of password reset links sent via email can be problematic.

When it comes to security questions, website developers are also prone to picking bad ones, whose answers can be gleaned from a person’s social media profiles. Additionally, security questions and answers aren’t always protected, as Yahoo’s recently revealed breach highlighted. Knowledge of the answers could be used to abuse account recovery options on other sites that may also use the same questions.

Facebook’s answer is a new encrypted token-based protocol, dubbed Delegated Recovery, which it announced at the USENIX Enigma conference today. The account recovery tool is launching as a limited trial with code-repository, GitHub, in order to gain feedback on the process.

Instead of GitHub users receiving an SMS and email links from GitHub, or having to answer security questions, Facebook will send GitHub an encrypted security token that vouches for the identity of the Facebook user who is attempting to recover a GitHub account.

It will allow developers to use their Facebook account to prove their identity if they’ve been locked out of their GitHub account and, don't have access to their phone number or Universal 2 Factor (U2F) security keys.

"An email address alone can't provide the same level of two-factor authentication to recover access, so starting Tuesday, you'll be able to use your Facebook account to provide additional authentication as part of the recovery process at GitHub.," explained Brad Hill, a security engineer at Facebook.

To use Facebook’s account recovery token, GitHub users will need to save the token with their Facebook account, allowing them to recover their account from a browser over a secure HTTPS connection. Since the recovery token is encrypted, Facebook says it can’t read users’ personal information.

“If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature,” said Hill.

“Facebook doesn't share your personal data with GitHub, either; they only need Facebook's assertion that the person recovering is the same who saved the token, which can be done without revealing who you are,” he added.

The protocol “allows an application to delegate the capability to recover an account (e.g. in the event of a credential loss or compromise) to an account controlled by the same user at a third party service provider”, Facebook says on its GitHub page .

While the aim is to eventually allow all websites to implement the account recovery protocol with Facebook as the verifying actor, Hill said that Facebook also wants to offer people the ability to recover a Facebook account from another service, like GitHub.

To support this, it and GitHub will be publishing open source guides to help others simplify account recovery.

According to Hill, any hackers who find a security issue with the new tool will be jointly rewarded by Facebook and GitHub if the bug is serious enough.

Facebook has launched numerous initiatives to tackle password security issues, from scanning the web for compromised logins that match its password database, to helping developers allow users to sign-in to apps with a phone number. On the account recovery side, it also allows users to select trusted friends who can help regain access to an account they've been locked out of.