Facebook today announced a new means of securing your online accounts. Delegated Recovery, as it’s being called, looks to be a step forward for those afraid of losing their devices when using two-factor authentication (2FA) — which, should be most of us.
Facebook security engineer Brad Hill explained the fear surrounding 2FA to TechCrunch:
No matter what kind of site you are, you have to deal with the issue that someone will lose their password or their token. We can get you back into your account even if you drop your phone off the boat.
The security feature addresses the common concern of losing the device tied to your account. For those not familiar with 2FA, rather than just logging in with a password to, say, Twitter, the platform requires a second piece of authentication — typically a text message sent to your cell phone. Losing the device could lock you out of the account as you couldn’t gain the second means of authentication needed to access the service. Granted, there are workarounds, but it’s a legitimate fear that could be detrimental to widespread adoption of 2FA — which is sorely needed.
With Delegated Recovery, Facebook lets users set up an encrypted recovery token for sites like GitHub, and stores it at Facebook. If you lose the login information for GitHub, you’d simply log in to Facebook and send the stored token to the site to prove your identity and regain access. The token is encrypted, and Facebook can’t access the information stored on it. Facebook also promises not to share it with third-party websites (aside from those you authorize).
For now, the feature is in a limited trial and only available for use with GitHub (starting tomorrow). The tool has been open-sourced and added to Facebook’s bug bounty program so researchers can test it and point out any security vulnerabilities before offering it up to other websites and platforms as a traditional 2FA alternative.
In moving toward a newer, (perhaps) better system for 2FA, Facebook is also disrupting the status quo. Rather than depending on email, it’s now shifting decades-old behavior to nudge users toward relying on Facebook as a central hub for, well, just about everything.
There’s a lot of technical reasons why recovery emails aren’t that secure. Email security doesn’t have the greatest reputation right now. It’s the single point of failure for everything you do online.
Rumors about the death of email have been greatly overstated, but it’s clear that the desire to kill it isn’t going anywhere. But this does beg the question, what happens when you can’t access your Facebook account? Seems email might be safe for just a while longer.