Facebook is looking to end one of the biggest problems in web security: password recovery. To that end, it has announced a new way to recover your password for your Github account, which is successful could spell the end of secret questions, recovery emails and provide much greater security in the future.
Recovering a password when you’ve forgotten it is often either too easy and not very secure, or a long-slog to prove you’re you. To get around that, Facebook has announced a new token system in partnership with Github. If you forget your password for the latter service, instead of jumping through the usual hoops, you can instead use a Facebook/Github recovery token which you’ve set up previously.
The system works by you setting up a recovery token before you forget your password, as a preventative measure. If at some point you forget your password, you head to Facebook and have it send your pre-registered recovery token. That token does not transfer any information about you, but allows Facebook to give the digital thumbs up that you are indeed, you.
Although this sort of method relies on strong security with your Facebook account, it does eliminate problems associated with personal email security and secret questions, the latter of which can often be guessed without much difficulty. Because the tokens sent in the Facebook recovery system are encrypted and don’t contain personal information either, its’ technically safer than an email or SMS recovery, which could be intercepted.
Compromised Email accounts can also be used to gain access to a number of different accounts. That won’t be possible in the case of Github’s new system. As Ars explains, the token system can also be rate limited, which means that if someone does compromise your account somewhere, they can’t request a tonne of tokens at once, thereby potentially only compromising one or two of your online accounts, rather than all of them at once.
Google research highlighted the dangers of secret questions back in 2015. Source: Google
By linking them together too, services can collaborate on security and highlight instances where mass password recoveries are requested, suggesting accounts are in the process of being cracked open.
As it stands though, this service only works with Github, but Facebook hopes to expand its reach in the future and encourages others to adopt the token system too.
Discuss on our Facebook page, HERE.
KitGuru Says: What do you guys think of this security measure? It seems like a nice feature, but it won’t be much use for those who don’t have an account with Facebook. It also suggests Facebook and others could keep track of your logins, which some may not like.