As a regular reader of this blog, you are probably using a long, unique, 20 character password with two-factor authentication, and a password manager to keep it all straight. But let’s say that you fall for a phishing scam, and give away the password to your email account. The attacker can now use your email account to request password reset emails from your other online accounts, and you have yourself one big breach.
Password reset procedures vary from one website or service to another, but almost without exception, the process is weak and easy for an attacker to overcome. The scenario above is bad enough, with your hijacked inbox awash in emails with password reset links. But how about password reset systems that require you to provide answers to secret questions? Unfortunately, many of the provided questions can be answered with a little research on Facebook, LinkedIn, or Ancestry.com (what is your grandmother’s middle name?)
Facebook is offering a password reset service called “delegated recovery.” Facebook generates and stores an encrypted recovery token for a website that is registered by a Facebook user, and this token is used to reset a lost password.
Let’s say that I have registered my Amazon.com account with Facebook, but now I have forgotten my password and need to reset it. I log into Facebook and send a token to Amazon that is time stamped and signed by Amazon’s private key. And now I am able to access my Amazon account again.
Currently, only GitHub is set up to use Facebook’s Delegated Recovery. So no need to rush out and sign up until more sites are enrolled. Using Facebook this way means that you will want to make sure your security settings on Facebook are properly configured. I expect that we will see other avenues for delegated recovery from companies such as LastPass and YubiCo. This is definitely an idea that is long overdue.