Facebook Looks to Secure Password ResetsSocial Network Takes Email, SMS Out of the Password Recovery Process
Facebook has devised a password reset system that doesn't rely on widely used, yet insecure, methods - such as security questions or emailed links - to recover access to an account.
The social networking service is aiming to solve a large problem: Often, email accounts are compromised, and security questions are easy to guess. Facebook Security Engineer Brad Hill writes in a blog post that those verification methods are showing their age.
Delegated Recovery enables a user to generate an encrypted authentication token in advance for another web service that is then saved by Facebook.
"Neither offers the end-to-end security guarantees we expect from modern protocols, and these methods are becoming less reliable as the next billion people are getting online for the first time," writes Hill, who presented the system on Monday at the Usenix Enigma conference in Oakland.
Facebook is testing its system with GitHub, although it will be open source and available to any service provider. It relies on a protocol Facebook built from scratch called Delegated Recovery. If someone wants to reset a password, Facebook acts as a trusted authority that can tell GitHub an account owner's efforts to change a password are legitimate.
The problems with security questions are well known. Through open-source research and a cornucopia of stolen data sold by hackers on black markets, personal information isn't hard to come by. Subsequently, security questions are less of a barrier.
Last year, Yahoo disclosed that suspected state-sponsored hackers obtained personal information and the encrypted passwords for more than 1 billion users. The information disclosed included unencrypted security questions and answers (see Yahoo Breach Alert: 1 Billion Accounts at Risk).
Securely resetting passwords is a vexing issue for web services. If a hacker already controls someone's email account, the link to reset the password can be intercepted. SMS verifications are problematic because attackers could steal someone's phone number by convincing an operator they're someone else.
Delegated Recovery enables a user to generate an encrypted authentication token in advance for another web service that is then saved by Facebook. If a password is forgotten or lost, the user can re-authenticate to Facebook, which then sends the token to the third-party service with a time-stamped countersignature, Hill writes. The password can then be reset.
"Facebook doesn't share your personal data with GitHub, either; they only need Facebook's assertion that the person recovering is the same who saved the token, which can be done without revealing who you are," Hill writes. "This can happen in just a few clicks in your browser, all over HTTPS."
The idea of having one service vouch for the identity of someone is referred to as federated identity. Facebook already offers a service that allows application developers to use its authentication platform to log into an external application. But it doesn't manage password resets.
Hill writes that "federated identity systems solve some problems but are economically unacceptable in many situations to both users and platforms." Delegated Recovery is similar to OAuth in some respects but with key differences. The encrypted tokens have an indefinite lifetime and "derive their authority at a point in time from being signed with currently published public keys, discoverable over HTTPS," according to documentation.
This process avoids security questions, email links and SMS messages. But of course, it will only be successful if an account with a verifying authority hasn't been compromised. Facebook has taken many steps - from two-factor authentication to login notifications - to secure its users' accounts. If used, those features substantially reduce a risk of a hack.
Facebook's new system avoids another privacy issue, which apparently experienced recently by U.S. President Donald Trump.
A hacker claims he found that Trump and several others close to him failed to use a security setting on Twitter that masks sensitive data. If the feature isn't enabled, Twitter will show redacted versions of information, such as a phone number and email address, if someone who doesn't own the account initiates a password reset. The hacker contended he was able to then guess email addresses, an obvious concern due to email-launched attacks (see Hacker Issues Twitter Security Fail Warning to Trump).
Hill notes this advantage of Delegated Recovery: "The design is focused on user choice and privacy and avoids asking people to bargain with their personal information to obtain this basic necessity of online life."
Facebook's idea is far from a silver bullet, but it does remove several key weaknesses that can be exploited by hackers, which marks progress in the password conundrum.