Facebook is aiming to help make forgotten passwords less troublesome. Today, it will roll out a service which will help GitHub users regain access to their accounts in the event that they forget their password — and it doesn’t involve resetting it.
Typically, lost password retrieval can involve answering security questions, which can sometimes be guessed, or sending an email or text message, which aren’t encrypted. Worse still, if someone has access to one email account it often allows them to hijack other accounts through that aforementioned email retrieval process.
“We need something better—a way to recover access, using identities and services you trust, regardless of whether they are associated with an email address or a phone number. This process needs to be easy, secure, and respectful of your privacy,” wrote Facebook Security Engineer Brad Hill, announcing the service.
Facebook’s new solution involves setting up a “recovery token” in GitHub which can be re-authenticated via Facebook should you forget your password — similar to how current two-step verification methods work. This would then be forwarded to GitHub with a time-stamped signature allowing users to securely restore their account.
The recovery token would be encrypted, and Facebook and GitHub wouldn’t share any of the user’s personal information — only that the two accounts are connected. It’s said that the process would take just “few clicks in your browser, all over HTTPS.”
Facebook is testing the feature in collaboration with GitHub and is seeking feedback from the security community, offering cash rewards to anybody who finds vulnerabilities in the program. Facebook has also made the specification available for other websites to make use of in the future.
There’s no denying that there are problems with online passwords and security currently, and this seems like a shrewd move from Facebook. If it works as intended, and is adopted by other sites, the company would make having a Facebook account itself an attractive proposition for those trying to stay secure online — which probably isn’t something you would have said about it previously.