Facebook and GitHub test new account recovery option
Facebook and GitHub have partnered to provide GitHub users who employ two-factor authentication an easier way to recover access to their account in case they get locked out of it.
Users may lose their phone or U2F key, or change phones without re-enrolling, and they lose access to the account.
“Currently, if you lose the ability to authenticate with your phone or token, you have to prove account ownership before we can disable two-factor authentication. Proving ownership requires access to a confirmed email address and a valid SSH private key for a given account,” Stephanie Wills, community manager at GitHub, explained. “This feature will provide an alternative proof of account ownership that can be used along with these other methods.”
Delegated account recovery
This so-called delegated account recovery option should be a safer alternative to security questions.
It’s also easy to use: initiate the storing of a token on the security settings page on GitHub and confirm that the token will be stored with Facebook. If you ever get locked out, you can initiate the recovery process by logging into Facebook and using the Recover Accounts Elsewhere feature.
The token is encrypted and signed by GitHub, and can’t be used by Facebook. When a user initiates the recovery process, Facebook countersigns the token and sends it back to GitHub, who then verifies the validity of Facebook’s countersignature, the signature of the original token, and checks that the token has not been revoked. Finally, GitHub decrypts the secret in the original token and uses it to verify the owner of the token.
“GitHub only stores the token ID, user ID, and token state. Facebook only stores a token with an encrypted secret that is associated with a Facebook account and does not become valid until it’s used in a recovery,” GitHub security engineer Neil Matatall assured, and added that no personally identifiable information is exchanged between Facebook and GitHub.
“This process helps limit the impact of database dumps and SQL injection vulnerabilities without an additional compromise of the encryption and signing keys.”
Other services can implement it, too
For the moment, the feature can only be used to recover access to GitHub accounts with Facebook’s help. The reverse option – GitHub saves tokens for Facebook accounts – is also planned.
The author of the Delegated Account Recovery specification is Facebook security engineer Brad Hill. Facebook has published the protocol behind the account recovery feature on GitHub, and hopes that other services will adopt it in the future.
“Both Facebook and GitHub plan to publish open source reference implementations of the protocol in various programming languages to make it easy to build secure and privacy-preserving connections among your accounts and ensure you never lose access,” Hill noted.
This limited release of the feature is meant to allow independent bug hunters to test its security before wider adoption by other services.