Forgot your GitHub password? Facebook cooks up spec to reset logins via social network

Open protocol published for all app, web devs to implement

Hill and the new Facebook sign-in screen

Usenix Enigma 2017 Facebook has published a specification for providing secure and reliable account recovery in websites and applications.

Recovering access to accounts is, judging from our article archives, too easy for developers to screw up: passwords are stored in plain text, security questions can be guessed or bypassed, and so on. In his keynote at Enigma 2017, Brad Hill, a security engineer at Facebook, said whenever he carries out penetration testing, the first thing he hits up is the security questions for a password.

“As we’ve seen with Guccifer’s hacking of Colin Powell and others, once you are famous enough all security questions are trivia,” Hill said. “And as more of us spend more time online, the problem is spreading fast.”

Basically, you've got to make sure the person claiming they've forgotten their password, and needs a way to get back into the account, is the legit owner, and not an identity thief or some other miscreant. Emailing a link to the address registered with the account is one way of granting access, although it assumes the email address's account hasn't been compromised and that the user can still get into their inbox. Security codes can be texted via SMS but this is unreliable and assumes the customer hasn't lost their phone or had it stolen or seized.

To nail down a secure process for all this, Facebook has written and published a open specification that describes how to generate, for each account, a token that can be given to a third-party service. These tokens can later be used to reactivate the accounts. A developer kit and reference implementation is due to be revealed at some point.

Ahead of that public release, Facebook has worked with GitHub on a trial of the system. If someone gets locked out of their GitHub account, the code repository can ask the third-party recovery service – in this case, Facebook – for that person's token. When the user logs into their profile on the social network, Facebook releases the person's token to GitHub to complete the account recovery.

If you can't get into your Facebook profile, you’ll have to navigate its account recovery process before logging into GitHub. Essentially, the specification allows website and app programmers to push their account recovery mechanism onto an established, trusted provider, thus avoiding the reinvention of any wheels. Facebook calls this "delegated account recovery", the cynics among us call it "encouraging everyone has an active Facebook account." Or Google, or whoever else implements the protocol.

The token could also have other uses, we're told. Because they have timestamps, they could be used to authenticate a user if their credentials have been stolen and their account passwords or registered email address changed. Having a timestamped token would make restoring an account much easier – it can be used to prove you are the original owner.

This may sound like an authentication grab from Facebook, but Hill said that any service provider can implement the specification and begin storing authentication tokens. The system is being rolled out as a trial between Facebook and GitHub to limited partners, and will go on general availability later in the year.

The reason for the pause is to check the system. Facebook and Github will pay bug bounties to anyone who finds flaws in the code starting from today. Hill urged people to try to poke holes in the scheme.

Meanwhile, Facebook announced support for two-factor authentication using hardware keys for logging into the social network. ®

Sponsored: Detecting cyber attacks as a small to medium business


Biting the hand that feeds IT © 1998–2020