The more you use online services, the more you have to remember your login credentials. Remembering variety of usernames/emails and passwords combinations can be a daunting task, and getting locked out of your accounts is the last thing you want.
And to add up the frustration, the more your mobile devices are getting tied to those online services, losing your phones means you lose your ability to receive two-factors authentication codes. Another option is to answer a security questions. But this also can be a difficult task.
Almost everyone that uses many online services has experience this. But as a matter of fact, losing access to your account is also a widely-available measure to know that you account are indeed secured to even outsiders.
However, if you really want to get back into your account, Facebook is introducing Delegated Recovery to overcome the above occurrences.
Facebook's security engineer Brad Hill announced on January 30th, 2017, at the USENIX Enigma conference that the company is setting up an encrypted recovery tokens as a mean to recover accounts on third-party websites like GitHub. So if users ever loses access to their Github account, Facebook can send a stored token from their Facebook profile back to GitHub, proving their identity and unlocking their account.
Using Delegated Recovery, "we can get you back into your account even if you drop your phone off the boat," pointing out some flaws with SMS two-factors authentication and the usual email reset.
Facebook's Delegated Recovery isn't just a security feature, but also a way for Facebook to convince its users to center their online identity to Facebook rather than email addresses.
Account recovery typically involves email addresses that were used to register online accounts in the first place. Facebook is pointing out that recovery emails aren't that secured. With Delegated Discovery, in short, Facebook wants to replace emails by having itself as the hub of online identity management.
The feature is starting out as part of Facebook's bug bounty program. And because the tool has been open-sourced, researchers can test it and point out any security vulnerabilities before offering it to other websites and platforms as an alternative to the the already available methods.
"We're building this and giving it away because recovery is a problem every online service shares. Recovery isn't a product, it's a foundation. Secure access is the foundation on which we build all our other products," said Hill.
The tokens are encrypted to provide privacy - not even Facebook can read the information stored inside those tokens, and it also won't share the information with other websites. And by moving account recovery to Facebook's encrypted token system, the social giant is aiming to provide improved security over the usual widely available account recovery options.
"There’s a lot of technical reasons why recovery emails aren’t that secure. Email security doesn’t have the greatest reputation right now. It’s the single point of failure for everything you do online," explained Hill.
While the death of emails have been overstated, Delegated Discovery is just another attempt to kill it. But since Facebook itself is using emails for sign ups and sign ins, emails aren't going anywhere anytime soon.