Facebook introduced a new password recovery system for GitHub which utilizes recovery tokens connected to Facebook accounts. The new feature is available to GitHub users as of today, the company's Security Engineer Brad Hill announced. Facebook's new invention aims to eliminate vulnerabilities in traditional password recovery solutions which are often insecure and make the security of actual authentication procedure irrelevant seeing how malevolent individuals can simply trick the recovery system into sending them a (new) password.
To combat that issue, Facebook accounts can now be used in the process of two-factor authentication for password recovery at GitHub. Users can take advantage of the feature by using their Facebook accounts to save a recovery token which can later serve as a form of authentication. Once that action is performed, passwords of GitHub accounts can be reset by logging into Facebook which will automatically send a recovery token back to GitHub. If the token sent back to GitHub matches the one GitHub originally sent to Facebook, a user will be able to reset their password. The recovery token used in this procedure is encrypted using contemporary standards, meaning Facebook isn't able to access any information it contains. Furthermore, the Menlo Park-based social media giant claims it also isn't sending any other personal information to GitHub given how the online repository only needs the original token to verify one's identity. The entire process apparently takes just a few clicks and is performed through HTTPS.
The announcement of this feature comes shortly after Facebook introduced USB keys, another form of two-factor authentication designed to improve online security. The social media company has recently been hard at work making account verification both secure and convenient, and this move can be interpreted as another step in that endeavor. While the company's token-based authentication is currently limited to GitHub, Hill said that Facebook is hoping the method will be adopted by other online services in the future. The feature is also a part of the company's bug bounty program, meaning security experts can earn money by identifying any vulnerabilities in the procedure. In addition to Facebook, individuals who manage to spot any weaknesses in this solution will also be financially rewarded by GitHub. It remains to be seen whether other online services agree with Hill's assessment that a password recovery mechanism reliant on a Facebook account is secure enough to warrant implementation.