How do you reset the password for your Facebook account if your primary email account also gets hacked?

Using SMS-based security code or maybe answering the security questions?

Well, it's 2017, and we are still forced to depend on insecure and unreliable password reset schemes like email-based or SMS code verification process.

But these traditional access recovery mechanisms aren't safe enough to protect our all other online accounts linked to an email account.

Yahoo Mail can be used as an excellent example.

Once hackers have access to your Yahoo account, they can also get into any of your other online accounts linked to the same email just by clicking the link that says, "Forgot your password?"

Fortunately, Facebook has a tool that aims to fix this process, helping you recover access to all your other online accounts securely.

At the Enigma Conference in Oakland, California on Monday, Facebook launched an account recovery feature for other websites called Delegated Recovery — a protocol that helps applications delegate account recovery permissions to third-party accounts controlled by the same user.

Starting today, Delegated Recovery is available to GitHub users for account recovery, allowing them to set up encrypted recovery tokens for their Github accounts in advance and save it with their Facebook accounts.

So in case they ever lose access to their Github account, they can re-authenticate to Facebook and request the stored token be sent from their Facebook account back to Github with a time-stamped signature, proving their identities and securely regaining access to their accounts.

This whole process takes place over encrypted HTTPS Web links and completes within a few seconds.
Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

Since the stored token is encrypted, even Facebook can not read the personal data stored in that token.

The social network giant also assured that except its assertion that the person recovering the GitHub account is the same who saved the token, the company doesn't share any personal information about the user with GitHub.

According to the social networking giant, the Delegated Recovery service will be especially helpful for online users who have lost their smartphones, physical tokens or keys used as a second factor of authentication.
"We also want to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook." said Brad Hill, Security Engineer at Facebook
Facebook has published the protocol behind the feature and the technical specifications on its GitHub page. You can also read more information about the feature on Facebook's official post.

Since no system is hacker-proof, Facebook has invited hackers and security community for reporting bugs, submit suggestions, and feedback.

Delegated Recovery is part of Facebook's bug bounty program, allowing security researchers and bug hunters to test and find out security vulnerabilities in it.

This tool is being released as open-source that would allow other third-party sites to implement it, but for now, the service is available only for GitHub.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.