Having your email account compromised by hackers is a very, very bad thing. With control of your email, it’s all too easy for an attacker to break into all your other important accounts. It can be as easy as visiting a site like Facebook, Twitter, or iCloud and requesting a password reset.
Facebook thinks it should not be that easy for someone to wrest control of your accounts away from you. “We need something better,” security engineer Brad Hill wrote in a post on Facebook’s “Protect the Graph” page. He continued, “A way to recover access, using identities and services you trust,” adding that the “process needs to be easy, secure, and respectful of your privacy.”
They call this “something better” delegated recovery. It works sort of how some encryption systems do. When you enable delegated recovery, Facebook creates a special recovery key or token that gets associated with your Facebook account.
Should you ever need to reset your password on a site that uses delegated recovery, you simply click a button to tell that site to verify your identity on Facebook. Facebook sends over your token, which tells the other site that you are exactly who you say you are — without actually sending that site any other information from your Facebook profile.
“This can happen in just a few clicks in your browser, all over HTTPS,” said Hill. Assuming you’ve protected your Facebook account by setting up two-factor authentication (which you really should do), this makes it extremely difficult for a hacker to keep you from regaining control of your accounts, while simultaneously making it extremely easy for you.
For now, Facebook is partnering with GitHub to test the system and let bug hunters look for security flaws. Ultimately, the company would like to see other sites adopting delegated recovery.
Given how many sites and services allow you to log in with your Facebook account, there’s a good chance you’ll see their more secure account recovery system popping up all over the Web in the near future.