Enlarge / Account recovery programs like this one from United Airlines pose a significant threat to users. (credit: Dan Goodin)
Facebook is unveiling a new service that remedies one of the biggest headaches facing online users today—the forgotten password.
Starting Tuesday, Facebook will offer a service that allows users who lose their GitHub login credentials to securely regain access to their accounts. The process takes only seconds and uses a handful of clicks over encrypted HTTPS Web links. To set it up, Facebook users create a GitHub recovery token in advance and save it with their Facebook account. In the event they lose their GitHub login credentials, they can reauthenticate to Facebook and request the token be sent to GitHub with a time-stamped signature. The token is encrypted so Facebook can’t read any of the personal information it stores. After the request is sent, the GitHub account is restored. With the exception of Facebook’s assertion that the person recovering the GitHub account is the same person who saved the token, Facebook and GitHub don’t share any personal information about the user.
The service is designed to eliminate the hassle and significant insecurity found in most account recovery systems that exist now. One common recovery method involves answering security questions. Many of the questions—for instance, “What is your favorite sport?” and “What is your favorite pizza topping?” asked by United Airlines—are easily guessed. That leaves people susceptible to account takeovers. Other methods, such as delivering security tokens by e-mail or SMS text message, lack the kind of end-to-end encryption that’s increasingly expected for secure communications.