Recovering a Facebook account can be really daunting especially when hacked..or when you forget your password.
The process can be long and frustrating from Facebook sending a code to your phone down to email verification link back to your login reset password then finally confirm and done.
At its F8 developer conference recently held , Facebook announced a beta version of what it calls Delegated Account Recovery, a feature designed to make your account on Facebook or similar services the ultimate fallback for recovering any forgotten password. Apps that adopt the feature can give users the option to recover or reset their password by proving their identity to Facebook, rather than by clicking on an emailed link, or worse, coughing up personal trivia like the name of their first pet or high school mascot. The approach holds the promise of far tighter account security, shoring up the problem of hackers guessing security question answers or hijacking insecure email accounts. Facebook has tested the feature with Github for months. Now it’s publishing the code to let any app try it, and then apply to be part of Facebook’s closed beta.
Delegated Account Recovery is designed to make account recovery more secure. If you’ve ever forgotten a password (and who hasn’t?) you know the recovery process usually involves a link sent to your email or a security code texted to your phone. But email can easily be compromised if a user’s password has been included in a data breach or if they’ve fallen for a phishing scheme, and texted security codes can get lost in transmission if you’ve upgraded to a new phone or changed your number.
“The system is designed to be resilient even to large scale data dumps of email and user databases that have become too common. With independently held cryptographic keys needed to use them, recovery tokens offer a level of security that we don’t see from email,” Facebook security engineer Brad Hill explained in a blog post. Here’s how the recovery flow works:
But even if the highest level of account security isn’t a selling point for some users, Hill gave me a succinct and compelling pitch for why Delegated Account Recovery is better than other methods when he debuted the feature back in January: “We can get you back into your account even if you drop your phone off the boat.”
Facebook launched the feature with GitHub, whose users are inclined to be more technical and can more easily navigate the setup process. Now that Facebook is expanding Delegated Account Recovery to other sites, it will need to sell developers on the idea that the extra set-up hurdles — and the association with Facebook — is worth the switch from email.
Some online retailers might be quick to adopt Delegated Account Recovery, but it’s easy to imagine Amazon, Google or Twitter being resistant to the idea. That’s part of why the project is open source: other companies could establish themselves as identity hubs, too. “Eliminating fraud is a shared goal, not a competitive space,” Hill said. “Having multiple providers will be helpful to this ecosystem.” If the ecosystem grows, security could expand too. Users could store recovery tokens for encrypted data across several different sites, so a user would need to prove access to multiple accounts in order to decrypt the data.
Getting other companies to participate, either by storing recovery tokens with Facebook or issuing tokens themselves, will help Facebook grow outside the U.S. and Europe, where email recovery is already uncommon.
“Facebook user surveys are revealing a decline in the use of personal email and a growing preference for phone number as an account identifier. In some parts of Africa and the Asia Pacific region, the preference for phone number over email is as high as 70%,” Hill explained. “And in many of those same places where phone number is most popular, it is also a very unstable identifier. People often have multiple SIMs cards, switch numbers frequently to get a better deal, and treat phone numbers as spam collection accounts like people in English-speaking markets often do with email.”
Because users in these markets are abandoning email in exchange for phone numbers as their primary identity hub, Facebook needs to follow that trend. Establishing itself as the keyholder for users’ online identities gives Facebook continuity, even as its users abandon SIM cards or change email addresses. Like Internet.org, Facebook’s program to provide free access to some internet services, Delegated Account Recovery could make Facebook a foundational part of the online experience for the next billion users.
“If you depend on email for recovery, you’re going to miss connecting with a lot of people. And, if you are signing people up to your service with a phone number, it is critical you have a way to recover when that number changes,” Hill added.
And Facebook wants to instigate wide adoption of Delegated Account Recovery, and it will be a win for user security inside and outside of Facebook, as well as for the company’s expansion plans. Now that the feature is open to developers outside GitHub, we’ll see how widely it will be adopted.