Security questions and two-factor authentications, SMS messages and phone calls – tools of the trade when it comes to retrieving our lost passwords from online services. But that can change. Facebook and Github, which is a code-sharing and publishing service – basically a social networking site for programmers – unveiled a new service that solves the problem of the forgotten password.
The new service was launched yesterday, and it allows users who lost their GitHub login credentials to securely regain them in just a few seconds over encrypted HTTPS links. To use it, Facebook users have to create a GitHub recovery token in advance and save it to their Facebook account. With it, they can re-authenticate to Facebook and request the token be sent to GitHub with a time-stamped signature. The communication is encrypted so none of the participants can read any personal information.
After the request is sent, the GitHub account can be recovered. This new service can eliminate the questionable security of the account recovery methods of today, like answering security questions. These questions like “What is your favorite sport?” and “What is your favorite pizza topping?” asked by United Airlines are no serious defense.
The service works only for GitHub now, but other third-party sites will join soon. The Facebook service can be rate limited, so in the event a Facebook account is hijacked, the rate limiting can be used to prevent an attacker from accessing all the third-party accounts at once.