Forget email and recovery questions, because next-generation account recovery will be through Facebook. At least this is how the social media giant hopes to lock the next billion users into its platform. It looks as though scrolling through endless newsfeeds is no longer enough, as Facebook is close to living up to its name and will give a face to the billions of people connected to the internet. It would like to become the platform through which users will recover the password to any third-party account via its new service called Delegated Account Recovery.
Why You Need This Service
You – just like everyone else – forget passwords, and when that happens the obvious thing to do is to recover it somehow. Facebook offers to do just that, using your digital identity as confirmed by the social media platform.
Currently Available Solutions for Password Recovery
We can agree that we need a better, more secure method of account recovery, as the current options – email recovery, security questions, one-time codes sent through SMS or apps – don’t live up to high-security expectations.
Facebook’s Approach to Account Security
Becoming a key keeper first requires preparation to protect yourself. Over the last couple of years Facebook has taken steps to make user accounts more secure. For privacy-conscious users it has added two-step verification that, if enabled, will require additional info from any of the chosen authentication methods below:
- A one-time code sent by SMS.
- A code from Facebook’s own Code Generator or a third-party app.
- A code generated by your security key on a compatible device.
- Printed recovery codes.
- Login approval from a device Facebook recognizes, which requires you to first register the device.
Facebook Delegated Account Recovery as Password-less Account Backup
The service, currently in closed beta, was officially announced in early 2017. The first platform to participate in large-scale testing was GitHub, a platform dedicated to IT professionals which might signal the intended targets for this service.
Delegated Account Recovery doesn’t want to compete against other services providing login authentication facilities for various online accounts. The foundation of these ‘login-with’ services is OAuth, an open protocol that allows for secure authorization in a simple method on the web, and for mobile and desktop apps. For consumers ‘login-with’ means they can use their Google, Twitter, Facebook, or other account to log into another account. By choosing to do so users can skip the registration process because the creation of a new account using an existing account. With that said it’s still safer to create a new account using email than to use an existing social media profile.
Since it is designed for extreme scenarios (let’s say you’ve dropped your phone off a boat and you need to log into GitHub), Delegated Account Recovery seeks to overcome the security issues SMS, OAuth, or other common recovery mechanisms.
To make it work, the service brings into play all three parties involved: the user, the account provider, and the recovery provider. In this case the last option is Facebook.
To establish the recovery capability:
- The user needs to authenticate the account provider or create a new account.
- Select Facebook’s Delegated Account Recovery as the recovery method and therefore the recovery provider.
- In response to this the account provider creates a recovery token and sends it to the recovery provider.
- Facebook saves the token in the user’s account and redirects the user to the account provider.
If such an extreme case occurs, the account service provider redirects the user to Facebook and if the latter accepts the authentication of the user then it creates a new token – which includes the originally saved token – and sends it to the account provider, confirming the account user’s identity. The account provider then validates both the new and originally created tokens and decrypts the data, granting access to the user.
It may sound complicated but in theory this only requires a few clicks and your Facebook account password, according to the social media giant. Since the service is in closed beta there isn’t too much information available at this stage, and Facebook doesn’t specify which of the account security tools – Facebook Login and/or Trusted Contacts – are playing an important role in the service, but since there isn’t any standardization using this method it either requires more standardization or for the account holder to choose how it ensures the user is indeed the one that the original recovery token was assigned to.
Why You Should Use a Password Manager
However, as you can see the solution can’t fully eliminate the password and so the need to remember at least one password is still there. That could be the Facebook account that you have set as the keeper of the secret key, but what if that account is not your personal account? How can you afford the luxury of remembering a single password and still be assured that everything is fine?
For this purpose there are password managers. Since Facebook’s Delegated Account Recovery service isn’t completely password free you can always use a password manager to store all your passwords – be that for work or personal purposes – and only have to remember the master password that will open the secret box where all other passwords are stored.
Since the majority of password managers also offer a web-based interface, make sure you remember the key to your key-keeper box. As such, accessing all accounts (and maybe even eliminating the need for Facebook’s Delegated Account Recovery service) is hassle-free, even if you lose your phone.
Best Password Managers of 2019