Facebook Rolls Out Delegated Recovery To Circumvent Email

Facebook wants to improve the process to recover an account other than via email, announcing an account recovery system for website operators called Delegated Recovery.

According to a report by TechCrunch, Facebook security engineer Brad Hill unveiled the new feature at the USENIX Enigma conference, saying the service will let users create encrypted recovery tokens for websites, and if the user can’t get into the site, the stored token is sent from the Facebook profile of the user back to the website, proving the identity and unlocking the account. “No matter what kind of site you are, you have to deal with the issue that someone will lose their password or their token,” Hill said in the report. “We can get you back into your account even if you drop your phone off the boat.”

TechCrunch noted that, with Delegated Recovery, it’s not only about offering a security feature but a way to focus the online identity around a Facebook profile instead of an email account. Hill said in the report there are lots of technical reasons email isn’t secure and has been breached in the past.

“We’re releasing this feature in a limited fashion with GitHub so we can get feedback from the security community, including participants in our bug bounty programs,” said Hill in a blog post on Facebook. “Not only will our implementation be immediately in-scope for our bounty programs, but Facebook and GitHub will jointly reward security issues reported against the specification itself, according to our impact criteria.”

What’s more, he said both Facebook and GitHub will publish open-source reference implementations of the protocol in different programming languages to make it easy to build secure and privacy-preserving connections among accounts.