Facebook and GitHub partnered up to make sure their users never permanently lose access to their accounts. The system, which is based on the Delegated Account Recovery specification written by Facebook security engineer Brad Hill, could eventually be used by other service providers as well.
The system is supposed to fix a simple problem: Two-factor authentication is great until you lose your phone. Then people have to figure out how to regain access to their accounts, and for GitHub, that previously required them to use a confirmed email address to send a valid SSH private key for their account. Delegated account recovery will allow users to regain that access by clicking a few buttons on Facebook’s and GitHub’s websites instead.
GitHub said using the feature is a five-step process. People have to go to their security settings, confirm that they want to store a recovery token, lose access to their account, contact the customer support team, and select GitHub from Facebook’s Recover Accounts Elsewhere feature. Ta-da! That’s it. Right now the system is one-way, which means Facebook accounts can be used to recover GitHub accounts, but soon it will also work in reverse.
Facebook’s ambitions don’t stop with GitHub. Hill explained in a blog post:
Soon, we hope to open the ability for any service to improve its account recovery experience using Facebook. We also want to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook. […] Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts.
This announcement comes shortly after Facebook added support for the Fast Identity Online (FIDO) Alliance’s Universal 2nd Factor (U2F) standard. U2F allows people to secure their accounts with USB security keys instead of relying on codes sent via text message or generated by a mobile app. (Though many companies, including Facebook, do require SMS or app-based codes as backups.) The idea is to make two-factor authentication easier to use.
Facebook and GitHub stressed that enabling this feature won’t result in any data sharing. GitHub explained:
GitHub only stores the token ID, user ID, and token state. Facebook only stores a token with an encrypted secret that is associated with a Facebook account and does not become valid until it’s used in a recovery. This process helps limit the impact of database dumps and SQL injection vulnerabilities without an additional compromise of the encryption and signing keys.
The system is rolling out now. Facebook made the protocol behind the feature available on GitHub, and both companies will pay for any bugs in the specification reported to Facebook Bug Bounty. Eventually, if the trial goes well, delegated account recovery will become available to other services.