Facebook Delegated Recovery Protocol Offers New Password Reset Option

New open-source effort debuts to help improve the state of secure account recovery across internet services, starting with GitHub.

When a user loses access to an online account, a common feature in many sites is a password reset feature via email. While an email based account password reset can work for users, it's not a particularly secure approach. Facebook wants to help improve the state of account recovery with a new open-source Delegated Recovery protocol.

The Delegated Recovery protocol is currently available as an open-source project on the GitHub code repository. Facebook has also chosen to first enable Delegated Recovery to work with GitHub accounts.

"Delegated-account-recovery is a protocol that allows an application to delegate the capability to recover an account (e.g. in the event of a credential loss or compromise) to an account controlled by the same user at a third party service provider," the GitHub project page states.

The new Delegated Recovery protocol should not be confused with Facebook Connect, which is a single sign-on approach that uses the OAuth protocol. With Facebook Connect, sites enable users to log on with a Facebook account.

"There are some conceptual similarities between OAuth other federated identity systems and this protocol, but there are important differences too," Facebook Security Engineer Brad Hill told eWEEK.

Hill explained that in an OAuth authentication flow, a site asks for permission to learn something about the user's account at the identity provider, like their name, email address, or public profile information. In contrast, the Delegated Recovery protocol doesn’t share that kind of information, in either direction.

The way Delegated Recovery works is with an authentication token that is securely stored by Facebook and connected to a user's account.

"Each site will generate its own recovery token for each specific account and ask the account holder to save it at Facebook," Hill said. "Later, if the person forgets their password, he or she can ask Facebook to send that recovery token back to the site it came from."

On GitHub, which is the first site to use Delegated Recovery, if a user attempts to do an account recovery, GitHub will send the user to the relevant page on Facebook directly. Alternatively the user can access their saved tokens in the security settings page on Facebook.

"You'll be asked to re-authenticate to Facebook to use a token for recovery and afterwards be sent back to GitHub to complete the process of regaining access to your account," Hill said.

While GitHub is the first site on which account recovery works, it's likely not going to be the only one.

"We will be working to bring more services on-board so that people will have more choices of what accounts to use for secure recovery, and can use it in more places," Hill said. "Releasing open-source reference code will be part of supporting that effort."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.