GitHub is adopting Facebook’s Delegated Recovery protocol to identify and work out security kinks in the new way users regain access to their accounts. Security researchers are encouraged to take part in the bounty program and uncover potential security flaws before the system becomes widely used across the internet.
Most websites and online services rely on email to recover user accounts and reset passwords. While password reset emails are ubiquitous, they aren’t very secure because of the underlying assumption that the user still has control over the email address and that the attackers haven’t already compromised the account. Security questions are no better, especially since anyone with a little time can engage in social engineering or online stalking to find answers to commonly asked security questions.
Facebook engineer Brad Hill unveiled Delegated Recovery at the Enigma conference on Monday, describing the protocol as a way for developers to build attack-proof password resets and account recovery. Delegated Recovery relies on the user to link together accounts on different services to verify account ownership. When the link is made initially, the two sites exchange cryptographically secured data tokens. No identifiable information about the user—such as the email address registered to the account, phone number, or even name—gets shared as part of the exchange.
