Delegated Recovery works solely through the exchange of a recovery token.
Delegated Recovery works solely through the exchange of a recovery token.

Facebook launched a new strategy by which users can regain access to lost online accounts enlisting an agreement between various online services.

During a presentation on Monday at the USENIX Enigma conference in Oakland, Calif., titled "Moving Account Recovery beyond Email and the "Secret" Question," Brad Hill, security engineer at Facebook, discussed the protocol which can enable one online service to validate a user's credentials on another website. That is, the strategy can allow applications to manage account recovery permissions to third-party accounts under the control of the same user.

Rather than asking for security questions, SMS codes or email messages, Delegated Recovery works solely through the exchange of a recovery token, which users are required to create. The recovery token is encrypted and no online service that temporarily stores these tokens can read them, Hill said.

As well, the token includes a time-stamped counter-signature and the issuing service can discern if someone altered the original token.

“An email address alone can't provide the same level of two-factor authentication to recover access,” explained Hill, “so starting Tuesday, you'll be able to use your Facebook account to provide additional authentication as part of the recovery process at GitHub.”

The mechanism is now being tested by Facebook and GitHub.

"At a high level, the delegated recovery strategy is a much better alternative assuming that each and every service provider and relying party is in possession of 'everything there is to know' about all users," Kayvan Alikhani, lead technologist, identity and authentication at RSA, told SC Media on Wednesday. "By embracing the islands of identity for identity proofing, user identities can be confirmed assertively using a trusted partner's solution."

This is one additional way to achieve a certain level of identity assurance without duplicating identity data in more places than needed, Alikhani added. "With islands of identity becoming more and more of a reality, the strategy makes sense: use external, trusted sources of identity for account recovery."

That's owing to the fact that in many cases, Alikhani said, the delegate's identity service may have been used more often by the user, or the partner's system may have done a better job at proofing the user's identity during their onboarding process, making that service the best option to rely on for delegated account recovery.