Facebook debuts a new way to recover a locked account

OAKLAND—Facebook security engineer Brad Hill knows what it’s like to get locked out of one of your dozens of online accounts. He’s received that email that asks him to click on a link to reset his password. And he knows that fake account recovery emails are used to attack unsuspecting consumers.

Hill’s response to that type of phishing message is called Delegated Recovery.

“It’s a problem I’ve been thinking about for a really long time,” he says—at least five years, long before he started working for the social-networking behemoth. Emailed phishing attacks are a serious problem, having shot up 250 percent from October 2015 to March 2016, according to an Anti-Phishing Working Group study.

Delegated Recovery, which Facebook debuted on Monday in conjunction with online software repository GitHub at the annual Engima Conference here, creates a new way to link accounts so that you can use a major online service provider such as Facebook to regain access to a locked account at a smaller service such as GitHub.

“We do that in a way that Facebook never learns who I am at GitHub, and GitHub never learns who I am at Facebook. It’s really designed to be privacy-friendly,” he says. “That means we’re not limited to email as your identifier.”

Delegated Recovery has the potential to change how people get back into accounts that have been locked for security reasons, such as typing in the wrong password too many times. It takes an account that is already presumed to be trustworthy—Facebook is already used by millions as the de facto account username and password for non-Facebook accounts—and uses it to unlock one of your non-Facebook online services.

The feature saves a piece of computer code to your Facebook account that identifies your GitHub account as belonging to you, but it’s encrypted so that Facebook can’t read it. Personal information isn’t shared from this token to GitHub, either, preserving user anonymity.

When you initiate an account log-in recovery, Facebook sends the token over an encrypted connection to GitHub to unlock your account. It doesn’t require receiving text messages that have log-in codes, answering secret questions, or clicking on easily faked emailed links.

With Delegated Recovery, losing your phone is no longer a barrier to unlocking a locked small account, “even a year later,” Hill says. And at some point, Hill plans “to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook,” he wrote in a Facebook blog post.

Neil Matatall, a security engineer at GitHub who led the team that integrated Delegated Recovery starting last September, says that while it took some effort to get the new technology to work right, it should get easier as more companies use it.

Delegated Recovery “requires a small amount of expertise or experience,” he says, adding that eventually, “we want it to be a drop-in solution for almost anyone.”

The project is open-source so that anybody can see and work on its code, Matatall and Hill say. It also allows others in the security community to vet the encryption used to protect user privacy, and it encourages adoption by other companies. Specifically, Matatall says, he’d like to see Google support Delegated Recovery for GitHub (and others).

“As long as we get the big players in the industry to adopt this, it’ll help push it forward,” he says.