GitHub is adopting Facebook’s Delegated Recovery protocol to identify and work out security kinks in the new way users regain access to their accounts. Security researchers are encouraged to take part in the bounty program and uncover potential security flaws before the system becomes widely used across the internet.
Most websites and online services rely on email to recover user accounts and reset passwords. While password reset emails are ubiquitous, they aren’t very secure because of the underlying assumption that the user still has control over the email address and that the attackers haven’t already compromised the account. Security questions are no better, especially since anyone with a little time can engage in social engineering or online stalking to find answers to commonly asked security questions.
Facebook engineer Brad Hill unveiled Delegated Recovery at the Enigma conference on Monday, describing the protocol as a way for developers to build attack-proof password resets and account recovery. Delegated Recovery relies on the user to link together accounts on different services to verify account ownership. When the link is made initially, the two sites exchange cryptographically secured data tokens. No identifiable information about the user—such as the email address registered to the account, phone number, or even name—gets shared as part of the exchange.
With GitHub supporting the protocol, users can proactively link their Facebook accounts with their GitHub accounts. The only thing GitHub knows is that the user also has an account on Facebook; Facebook knows the user has an account on GitHub, but nothing else is shared. If a user loses control of the GitHub account, the user can log in to Facebook to send a time-stamped recovery token to GitHub to unlock their account.
At the moment, Delegated Recovery is limited to connecting with Facebook, But the protocol is intended to be open to linking any sites supporting the protocol; Facebook doesn’t need to be part of the equation. Facebook plans to publish an open source reference implementation of the protocol in several languages. The GitHub page currently has just the specification.
Since the tokens being exchanged are time-stamped and the contents are cryptographically signed, the protocol can be used for purposes other than account recovery. The specification describes how Delegated Recovery can be used to recover encrypted email or files. “For example, the provider of an encryption service might use a threshold cryptosystem to break a key into several parts, and ask the user to store the pieces (encoded in the opaque data field) as account recovery tokens at several providers. If the user loses their own copy of the key, they can still recover it, but the backup is not subject to server-side compromise by any single entity,” Hill wrote in the specification.
Delegated Recovery shifts the work behind account recovery away from individual site owners and developers and onto established providers. This is similar to how websites and app developers can decide to shift login and password security tasks to Google and similar providers (“Login with Google”) instead of managing account credentials themselves.
“Allow network services that do not have the resources or information to build a secure and usable account recovery process to delegate the function to network services that can,” Hill wrote.
GitHub’s rollout is limited to get bug reports from security researchers. General availability for other sites is planned for later this year.