Fresh from its recent announcement detailing support for security keys, Facebook revealed Jan. 30 that it is introducing a new tool that will let you protect your other accounts in case your email gets hacked.
The idea stems from concerns about email security as demonstrated by the historic data breach at Yahoo that compromised billions of email accounts.
Risk In Using Email Recovery
If a hacker — using tools such as phishing — is able to access a user's email, then it will open the floodgates so to speak. The reason is that email serves as authentication tool to recover other accounts.
For example, a hacker will be able to access your Dropbox account by simply clicking the Forgot Password option in the login panel. If the two-step verification feature has not been activated, Dropbox will reset your password and send your email a new one. The hacker can just repeat this process for other accounts linked to the hacked email.
Two-Factor Authentication
Two-factor authentications are considered the gold standard in securing digital accounts and personal data. However, users are turned off by the fact that this process is quite roundabout. In addition, account recovery is also complex if you lose the device used to retrieve the verification code required when logging in.
"We need something better—a way to recover access, using identities and services you trust, regardless of whether they are associated with an email address or a phone number," Brad Hill, a security engineer at Facebook, said.
Facebook Solution
The social media company announced that its users could use their Facebook accounts in the future as the second factor in a two-step authentication process to gain access.
In this case, Facebook is not going to share any user data. It will only send a token back to a requesting site to authenticate the identity of the user. It will include a time-stamped counter-signature, asserting that the user is the same person who saved such token.
The process is simple and, most importantly, everything is accomplished without leaving your browser or without the need to fiddle with another device or memorize a verification code.
Limited Rollout
Presently, this service is only available to GitHub users. According to Hill, however, Facebook is encouraging other platforms to adopt the Facebook tool. To this end, the protocol behind the feature has been published at the social media's GitHub page.
GitHub is also said to be publishing its own protocol so other companies could easily build their proprietary implementations based on the data.
All the relevant information are also available to developers. Facebook declared that it welcomes input from the security community and will reward those who will report bugs and security issues based on Facebook and GitHub's security criteria.