Facebook Aims To Become Even More Essential Via Password Recovery Tool

The tradeoff is between the convenience of not having to remember where you put that slip of paper on which you wrote the code word - nevermind the code word itself - and the risk of giving all of that power to, of all companies, Facebook. JL

Robert McMillan reports in the Wall Street Journal:

Delegated account recovery, gives users who have forgotten their passwords or been locked out of an account after a mobile-phone switch a new way to verify their identity so they can log into password-protected sites - an effort to further entrench the social network in people’s digital lives.
Facebook Inc. is unveiling new technology to let its 1.79 billion users reset passwords for other websites using its platform, an effort to further entrench the social network in people’s digital lives.
The technology, dubbed delegated account recovery, gives users who have forgotten their passwords or been locked out of an account after a mobile-phone switch a new way to verify their identity so they can log into password-protected sites.
Currently, websites generally request email addresses or mobile-phone numbers that can be used to aid people who forget their passwords. Criminals sometimes abuse these password reset systems to break into online accounts. In a scam detailed by researchers at Symantec Inc. last year, for example, criminals tricked Gmail users into disclosing verification codes sent via text message.
Facebook, which has long tried to make its service more central to people’s internet use, already enables logins to many websites via users’ Facebook accounts. But it doesn’t play a role in resetting passwords on other sites.
With delegated account recovery, a user would first link the site’s password recovery service to his Facebook account. Then, after losing a password, he could click on a “recover this account” button within Facebook to reset the non-Facebook account, after first reconfirming his identity with Facebook. The company thinks its new tool could be more secure than existing recovery techniques, and would like to eventually see other sites use it to help Facebook users recover their accounts, said Brad Hill, a security engineer at Facebook who worked on the technology. Email, for example, doesn’t offer the end-to-end cryptographic security of Facebook’s system, he said.
“The industry has spent a lot of time on the password problem, but we haven’t made a lot of traction on making account recovery better,” Mr. Hill said. The technology will initially only work on websites, although Facebook could eventually extend it to work on apps too, he said.
Facebook is publishing specifications describing how its system works, so other websites can test it to see if they want to add it as an option for their users. Facebook has worked with GitHub Inc., a software-developer website, on an early experiment of the system that will allow GitHub users to reset their accounts, he said.
GitHub expects to go live with its system on Tuesday, a GitHub spokeswoman said.
It is the second security enhancement to come out of Facebook in a week. Last Thursday, the company said that it would allow users to use hardware “dongles,” containing cryptographic keys to help secure their Facebook accounts. Security experts say that these keys can be a more-secure way of locking down accounts than, for example, security codes sent via text messages