Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Facebook Proposes New Account Recovery Method

Facebook has proposed a new method for recovering accounts when users forget their passwords or their credentials are stolen by hackers, and it will be first tested by the members of GitHub.

Facebook has proposed a new method for recovering accounts when users forget their passwords or their credentials are stolen by hackers, and it will be first tested by the members of GitHub.

The social media giant wants users to be able to recover their accounts via a method it calls “delegated recovery,” where an application delegates the capability to recover an account to a different account controlled by the same user at a third-party service provider.

GitHub users who want to test the method need to save a special recovery token in their Facebook account. If access to the GitHub account is lost, the user can re-authenticate to Facebook and the token is sent to GitHub with a time-stamped counter-signature to verify their identity.

The token is encrypted and Facebook will not share any personal information with GitHub. Furthermore, the data is transmitted over HTTPS to prevent it from being intercepted by a third-party.

This account recovery system will be covered by the Facebook and GitHub bug bounty programs. Based on feedback received from users, the social media company wants to improve the system and have it adopted by more services. Both Facebook and GitHub will release open source reference implementations in various programing languages.

“Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts,” said Brad Hill, a security engineer at Facebook.

Delegated recovery is promoted as an alternative to security questions, which are known to be risky, and email- and SMS-based methods, which do not offer the security guarantees many users expect today.

The announcement comes just days after Facebook announced support for Universal 2nd Factor (U2F) security keys.

Advertisement. Scroll to continue reading.

Related: Facebook Launches Certificate Transparency Monitoring Tool

Related: Facebook Awards $40,000 Bounty for ImageTragick Hack

Related: Facebook’s “Osquery” Security Tool Available for Windows

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Register

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

Orchid Security has appointed a new Chief Product Officer and three advisors.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.