Facebook, GitHub team up to better secure password resets


GitHub is adopting to identify and work out security kinks in the new way users regain access to their accounts. Security researchers are encouraged to take part in the bounty program and uncover potential security flaws before the system becomes widely used across the internet.

Most websites and online services rely on email to recover user accounts and reset passwords. While password reset emails are ubiquitous, they aren’t very secure because of the underlying assumption that the user still has control over the email address and that the attackers haven’t already compromised the account. Security questions are no better, especially since anyone with a little time can engage in social engineering or online stalking to find answers to commonly asked security questions.

Facebook engineer Brad Hill unveiled Delegated Recovery at the Enigma conference on Monday, describing the protocol as a way for developers to build attack-proof password resets and account recovery. Delegated Recovery relies on the user to link together accounts on different services to verify account ownership. When the link is made initially, the two sites exchange cryptographically secured data tokens. No identifiable information about the user—such as the email address registered to the account, phone number, or even name—gets shared as part of the exchange.

With GitHub supporting the protocol, users can proactively link their Facebook accounts with their GitHub accounts. The only thing GitHub knows is that the user also has an account on Facebook; Facebook knows the user has an account on GitHub, but nothing else is shared. If a user loses control of the GitHub account, the user can log in to Facebook to send a time-stamped recovery token to GitHub to unlock their account.