Losing access to your Facebook account is a big deal, especially if you use it to generate business as well as to keep up with your friends.
Getting control back over “lost” online accounts can be an even bigger deal.
It’s not as though you went into a branch of Facebook, or Google, or Microsoft, and established your identity in a reliable and repeatable way when you opened your account.
And there’s no-one at the branch you’ve never been to who would recognise you with certainty by your appearance, voice and mannerisms.
So you’re stuck with unreliable methods, such as knowing the answer to various “security” questions, or sending in a scanned copy of a driving licence.
Neither of those approaches to account recovery are appealing from a security point of view, or terribly convincing as identification.
But what if there were someone who could speak up for you to the Facebooks of the world, and that you would trust to speak up for you because you selected them for that job in the first place?
That’s the idea behind Facebook’s just-announced Trusted Contacts feature.
You choose three to five trusted contacts that can request account recovery codes on your behalf, but you need to have three codes at the same time to complete the recovery process.
→ To configure this feature, assuming it’s available in your region and language, login to Facebook and go to the “gear wheel” dropdown menu. Choose Account Settings, go to the Security tab and click on Trusted Contacts, then Choose Trusted Contacts.
This is bit like setting up a corporate bank account so that it requires multiple signatures, to prevent a rogue director operating alone.
As Facebook points out in its evangelism of this new service:
With trusted contacts, there's no need to worry about remembering the answer to your security question or filling out long web forms to prove who you are. You can recover your account with help from your friends.
Will it work?
I’ll give this approach a qualified “Yes.”
I like the fact that this effectively decentralises your identity (or, more correctly, your right to assume a specific identity) on Facebook, and lets you take control of it yourself.
There are risks, however.
As Facebook points out, you need to “choose people you trust, like friends you’d give a spare key to your house.”
But the company may be making a bit of a culutural leap there, because I’m not convinced that we yet treat access to other people’s online accounts with the same gravity as we do access to their property.
Nick Statt, a Readwriteweb journalist who was still at college when Facebook came onto the social scene, wrote about this very issue under the headline, “Can You Really Trust Your Friends?”
His concern over Trusted Contacts lies mainly in the fact that he, and his friends, seem to have spent their formative adult years in a milieu in which “If anyone left their account open on any computer that wasn’t their own that person’s Facebook account was fair game.”
And even if your friends don’t share what Nick Statt calls the “joy of Facebook hacking,” you have to be sure that your Trusted Contacts will heed Facebook’s own warning:
Your trusted contacts should make sure it's you before giving you security codes.
In theory, three out of the three-to-five chums you choose to be your Trusted Contacts would need to collude to rip your account off.
But in practice, one turncoat “friend” might very well be able to collect three codes for himself by applying social engineering to two of your other friends.
For example, he could ask the others to generate recovery codes and send them to what he says is your new email account, and tell them that you weren’t able to call everyone individually because you had to use a borrrowed phone.
Apple took a different approach when it introduced two-factor authentication recently, preferring instead to rely on a single recovery code so that only you can reset your password.
Apple reminds you to write down and keep somewhere safe – what you might do, in fact, with a spare key to your house.
That’s an approach I think I prefer, but I can see why Facebook didn’t want to rely on a single, long-lasting recovery code.
After all, the temptation to store the master password somewhere insecure (such as in an unencrypted file on your everyday computer) will just be too great for some users.
Worse still, if you lose that one-off master password, then you’ll lose access to your account forever.
And that, if you remember, is the very problem we were trying to avoid at the top of the article.