Admit it, we all have been through the agony when we fail to remember a password and have to go through the "forgotten password" ordeal. Well, Facebook is listening to us and is working on a new service that will save the day.
Facebook will offer a new service that will enable GitHub users who have forgotten their login details to regain the access by clicking on a few elements over encrypted HTTPS links. For those unaware, GitHub is a collaborative software development platform that hosts major softwares around the world that also includes Facebook's open source projects such as React and osquery. With this new method, you'll be able to use your Facebook account to offer additional authentication as part of the recovery process at GitHub.
The entire process completes in seconds. To use it, a user must create a GitHub recovery token beforehand and save it with Facebook account. The token will come to rescue whenever the user struggles with the password. In case you lose GitHub credentials, all you have to do is to log into Facebook and send the saved token to GitHub with a time stamped time-stamped counter-signature. It is worth mentioning that the token will be in encrypted code, which means Facebook will not be able to get your personal information from it. As soon as GitHub receives the token, your account will be restored. The only requisite is that the token must be sent from the same Facebook ID that was used to create it. In the process, Facebook and GitHub do not exchange any personal information about the user.
Loopholes in current password recovery methods
The new service by the social media giant is aiming at getting rid of "security questions" that are presented to users as a part of forgot password drill. These questions are not deemed to be completely secure as they contain the risk of common answers that can give access to third-party. For example - What's your favorite game? Or What's the name of your Hometown? Such questions can be easily cracked by the third party and risk your personal information.
Likewise, the other method that involves sending password recovery link to user's e-mail address is also not completely secure as many users do not have a strong password to ensure the security of their e-mail account, and in case a hacker gets access to the e-mail then he can also get into other accounts by using the same e-mail address. Facebook's method is based on encrypted tokens that is a secure way to recover password as encrypted cannot be cracked easily.
Commenting on the security of the new service, Facebook's Security Engineer, Brad Hill, said in a post:
"We're releasing this feature in a limited fashion with GitHub so we can get feedback from the security community, including participants in our bug bounty programs. Not only will our implementation be immediately in-scope for our bounty programs, but Facebook and GitHub will jointly reward security issues reported against the specification itself, according to our impact criteria."
Currently, the service is limited to GitHub although Facebook is expecting other sites to join soon. Both Facebook and GitHub have plans to publish open source reference implementations of the protocol in different programming languages so that it would become easier to build secure and private connections across accounts and to make sure that the user never loses access.