Facebook has proposed a new method for recovering accounts when users forget their passwords or their credentials are stolen by hackers, and it will be first tested by the members of GitHub.
The social media giant wants users to be able to recover their accounts via a method it calls “delegated recovery,” where an application delegates the capability to recover an account to a different account controlled by the same user at a third-party service provider.
GitHub users who want to test the method need to save a special recovery token in their Facebook account. If access to the GitHub account is lost, the user can re-authenticate to Facebook and the token is sent to GitHub with a time-stamped counter-signature to verify their identity.
The token is encrypted and Facebook will not share any personal information with GitHub. Furthermore, the data is transmitted over HTTPS to prevent it from being intercepted by a third-party.
This account recovery system will be covered by the Facebook and GitHub bug bounty programs. Based on feedback received from users, the social media company wants to improve the system and have it adopted by more services. Both Facebook and GitHub will release open source reference implementations in various programing languages.
“Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts,” said Brad Hill, a security engineer at Facebook.
Delegated recovery is promoted as an alternative to security questions, which are known to be risky, and email- and SMS-based methods, which do not offer the security guarantees many users expect today.
The announcement comes just days after Facebook announced support for Universal 2nd Factor (U2F) security keys.
Related: Facebook Launches Certificate Transparency Monitoring Tool
Related: Facebook Awards $40,000 Bounty for ImageTragick Hack
Related: Facebook’s “Osquery” Security Tool Available for Windows

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
