Lately there has been some buzz about delegate account recovery yet not many people know what it is and how it will impact your daily login to various sites. I started researching “delegate account recovery” and found Facebook not only has a great definition plus overview of it they also have an outlook of what they hope the future holds for passwords.Per Facebook, delegate account recovery helps people quickly provision a way to recover access after losing a password or contact point by proving continuity of their identity at another trusted service. With delegate account recovery, people can ensure they have a reliable way to regain access in extraordinary circumstances, using strongly attached accounts, without sharing personal information. It provides better security than password reset links sent by email, and helps avoid the problems caused by changing phone numbers and email addresses.
Social login products like Facebook Login can solve the basic needs of account recovery. A social login flow, however, may not be ideal if you need to retain full control of the primary account registration and login flows. Facebook hopes to open the ability for any service to improve its account recovery experience using Facebook. They also want to offer the ability for people to use other accounts to help you recover your access to Facebook.
- Streamline the provisioning of a recovery method at account creation time
- Provide a second recovery factor for high security accounts.
- Serve as a backup for password-less accounts that login directly through an email address or phone number contact point
Unlike email, SMS, OAuth or other common recovery mechanisms, the design of Delegated Account Recovery enables some unique and useful optional features:
- Facebook can provide a webhook callback if the recovery link between your service and a Facebook account is broken, so you can prompt the customer to establish a new way to recover
- You can store a small amount of data in a recovery token. Facebook never has access to that data, and your service can only see it again with the user’s consent. This opens interesting possibilities, like enabling recovery of data encrypted with a key that is held only by the customer.
Support for delegate account recovery can be discovered with a simple HTTP query, and it requires no advance provisioning of developer accounts, terms-of-service agreements or application configuration. You can instantly use any service your customers might choose that advertises the protocol.
How Facebook Delegated Account Recovery Works
There are three parties involved in an account recovery:
- The User is a person with accounts at both the Account Provider and Recovery Provider.
- The Account Provider is the site where the User has an account they need to be able to recover if they lose their password. Your service is the Account Provider when using Delegated Account Recovery with Facebook.
- The Recovery Provider is another service that the User trusts to recover accounts elsewhere. This guide documents using Facebook as a Recovery Provider, but other services may also offer the protocol.
Establishing a recovery capability:
At a high level the first phase is as follows:
- The User authenticates to the Account Provider, or is in the process of creating a new account there.
- The User chooses a Recovery Provider to use that is supported by the Account Provider.
- The Account Provider creates a recovery token and has the User’s browser sends it to the Recovery Provider.
- The Recovery Provider saves the token to the User’s account there and redirects back to the Account Provider.
I personally am a supporter of delegate account recovery for the main reason is I have so many accounts that I loose or forget passwords. Delegate Account Recovery may even cut hours spent re-setting accounts, creating a new account or waiting for confirmations via email.
If you would like to learn more about Facebook and delegate account recovery click here. It’s worth checking out!