Lost your phone? Dropped it off the side of a boat? Did all your account logins and ways to get your two-factor authentication (2FA) codes – kerplop! – go with it?
Facebook’s new plan: to become the account recovery place where you go to fish out all your accounts. At its F8 developer conference on Tuesday, Facebook announced the key to all this: Delegated Account Recovery.
It’s a boring name, but it could become a big deal.
Is it yet another play for Facebook to become something like Jabba the Hut in the land of password managers? As in, a big, sprawling, in-the-middle-of-all-apps-and-the-web keeper of passwords? Well, no, given that this is about account recovery, not squatting on top of your passwords. But it’s looking like it could place Facebook even more squarely in the middle of our passwords, if not in provisioning per se (some sites already offer Facebook password login as an option, of course) then in account recovery.
It’s a slick security feature that should be a no-brainer for privacy pros, and Facebook is hoping it’s the key to “the next billion people [who] get connected to the internet,” whether they join Facebook or not.
That’s how Facebook security engineer Brad Hill put it in a blog post, when he framed the technology as an ideal alternative for users who forget their passwords, who can’t get at 2FA codes on their devices (as in, say, your smartphone, now swimming with the fishes), or who just don’t want to fuss around with answering security questions.
From Hill’s post:
As the next billion people get connected to the internet, more and more are preferring to sign up and use services with phone numbers instead of email addresses. Delegated Account Recovery offers a way for them to stay connected and secure, whether your customers are experienced developers using GitHub, or people in communities where email isn’t widely used and phone numbers change frequently.
Still in beta, the SDKs and documentation Facebook released at F8 are actually an expansion of an open-source account recovery tool called Delegated Recovery that the company launched in January as a way to deal with the problem of forgotten passwords.
It was initially trialed on GitHub, described as a way to allow an app to “delegate the capability to recover an account to an account controlled by the same user or entity at a third party service provider”.
The joint password recovery feature – joint, as in, it’s a handoff of tokens between Facebook and another service, which in this case was GitHub – was also made available on the GitHub platform itself, where it was implemented as a feature called Recover Accounts Elsewhere. If you want to delve into the thing’s guts, go to that link: it’s where GitHub Engineering lays out details, including about the cryptography involved. For example, GitHub said in January that it would be encrypting a secret value using 256-bit AES-GCM associated with an account’s identity in a recovery token object, along with other metadata.
Or, as the site said,
Binary serialization? Symmetric crypto? Elliptic curve digital signatures? Oh my!
As of this week’s release of a closed beta (it’s available if you want to test integration with your own site), delegated account recovery goes beyond GitHub. It goes waaaaaaay beyond GitHub, to span both the web and all apps.
Of course, there are plenty of password managers out there, from the likes of LastPass and Dashlane to the big software companies’ homebaked goodies, such as Apple’s Keychain or the one that Google built into Chrome. How does Facebook’s Delegated Account Recovery differ?
As Forbes’ John Koetsier describes it, most password managers do what they do via the easily connected web. They don’t reach into all the apps in all their silos. For example, Apple Keychain technology can’t autofill a password for you in an app, even if you’re logged into the same company’s website on your iPhone.
Facebook’s delegated account recovery, however, sets up a process to do just that. Yes, these are long tentacles we’re talking about.
Account recovery presents a question to those of us who trust Facebook enough to actually have accounts (some of our readers are devoted anti-Facebookians). Namely, do we trust Mark Zuckerberg et al. with our passwords?
Sure, many distrust Facebook because we know that we, its users, are products. It makes money from our clicks, and that’s made for some bad situations with fake news and, more recently, the horror of live snuff videos. Then again, many distrust Facebook because of its history of shutting off access to the accounts of those whose accounts it doesn’t believe sport their real names.
The good news: judging by what GitHub and Facebook have described, we don’t have to trust Facebook, because it isn’t actually handling our personal information, or our app accounts:
GitHub only stores the token ID, user ID, and token state. Facebook only stores a token with an encrypted secret that is associated with a Facebook account and does not become valid until it’s used in a recovery. This process helps limit the impact of database dumps and SQL injection vulnerabilities without an additional compromise of the encryption and signing keys.
At no point does GitHub exchange any personally identifiable information with Facebook. Likewise, Facebook does not exchange any personally identifiable data with us.
Here’s Facebook’s schematic of how the flow will go between us, Facebook and the apps or services that adopt the technology:
Facebook says that delegated account recovery will be a more secure account recovery vehicle than what’s typically used, which is email. As Hill noted, email gets pushed to all services on all our devices, and those services can’t tell what messages are important – such as those account recovery messages – and which aren’t. Nor do they apply security measures such as rate limiting. If a phishing attack goes unnoticed, for example, it’s free to just keep spreading to all your other accounts on a computer.
Not so with delegated account recovery, Hill says:
It starts with the protections we apply to every login, which includes analysis of signals like known devices and session activity to help detect and block unauthorized access. Then, we require re-authentication to start a recovery. And finally, we apply strict rate limiting for how quickly other accounts can be recovered, and we limit recoveries of other accounts if your Facebook account itself was recently recovered.
Facebook is not going to be able to log you into all your accounts. It will just be helping you to get back into those accounts.
Developers, do you see yourself adopting delegated account recovery for your site? Do you think your users will welcome it as an easy way to recover accounts?
Let us know what you think. It will be interesting to see how many sites adopt it, how much further Facebook thereby wedges itself into our cyber lives, and if it might bring tighter security – which is always welcome.