As a regular reader of this blog, you are probably using a long, unique, 20 character password with two-factor authentication, and a password manager to keep it all straight. But let’s say that you fall for a phishing scam, and give away the password to your email account. The attacker can now use your email account to request password reset emails from your other online accounts, and you have yourself one big breach.
Password reset procedures vary from one website or service to another, but almost without exception, the process is weak and easy for an attacker to overcome. The scenario above is bad enough, with your hijacked inbox awash in emails with password reset links. But how about password reset systems that require you to provide answers to secret questions? Unfortunately, many of the provided questions can be answered with a little research on Facebook, LinkedIn, or Ancestry.com (what is your grandmother’s middle name?)
Facebook is offering a password reset service called “delegated recovery.” Facebook generates and stores an encrypted recovery token for a website that is registered by a Facebook user, and this token is used to reset a lost password.
Let’s say that I have registered my Amazon.com account with Facebook, but now I have forgotten my password and need to reset it. I log into Facebook and send a token to Amazon that is time stamped and signed by Amazon’s private key. And now I am able to access my Amazon account again.
Currently, only GitHub is set up to use Facebook’s Delegated Recovery. So no need to rush out and sign up until more sites are enrolled. Using Facebook this way means that you will want to make sure your security settings on Facebook are properly configured. I expect that we will see other avenues for delegated recovery from companies such as LastPass and YubiCo. This is definitely an idea that is long overdue.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com