Facebook's New Tool Looks To Replace Traditional Two-Factor Authentication

Facebook today unveiled a new feature to let its 1.79 billion users reset passwords for other websites using its platform, an effort to further entrench the social network in people's digital lives. From a report: Delegated Recovery, as it's being called, looks to be a step forward for those afraid of losing their devices when using two-factor authentication (2FA) -- which, should be most of us. The security feature addresses the common concern of losing the device tied to your account. With Delegated Recovery, Facebook lets users set up an encrypted recovery token for sites like GitHub, and stores it at Facebook. If you lose the login information for GitHub, you'd simply log in to Facebook and send the stored token to the site to prove your identity and regain access. The token is encrypted, and Facebook can't access the information stored on it. Facebook also promises not to share it with third-party websites (aside from those you authorize).

Wont Share

Fakebook wont share it unless the gov makes them.

I'm looking to reduce Facebook in my life

[QuietLagoon]

Not increase it. There is NO WAY I'd link Facebook in with any security process I have or use. NO WAY .

A Facebook promise?

[QuietLagoon]

...Facebook also promises not to share it with third-party websites...

That sounds like a marketing interpretation of a privacy policy that probably is as leaky as a sieve.

Re:A Facebook promise?

[cdrudge]

Well technically 3rd party companies aren't third party websites although they may operate websites. And of course government agencies aren't websites either...

They delete and lock accounts too often

[daninaustin]

It's too easy to get you facebook account deleted or locked out for it to be useful for this.

Too big for their britches

Facebook is getting into aspects which a social networking service has little business being involved in. A while back somehow a family members account became locked, to get it back up and running they were requiring photo ID. Its social contact website not a bank account.

"Facebook promises"

[vvaduva]

Facebook also promises not to share it with third-party websites (aside from those you authorize)

lolz. I am sure the NSA will love this shit.

Re:They delete and lock accounts too often

[dgatwood]

Even ignoring that problem, at a glance, it seems like there are so many problems with that idea that I almost don't know where to begin. It assumes we trust Facebook to keep the token secure (we don't). It means that if somebody hacks your Facebook account, now they have access to all your accounts (yikes). And so on.

A better solution is to add your home phone and office phone as alternate second factors.

Re:SMS?

[tlhIngan]

If it's so terrible it certainly hasn't assuaged Google, Github, and a huge number of other big services from using it. Many of they are still ADDING support for it. If you're afraid of the government pretty much nothing is going to stop them. If you're just looking for general "good security," SMS will work fine.

The problem with SMS is well, you're assuming a person has a phone which has a phone number.

NIST wrote guidelines against it because a "phone has a phone number" is no longer accurate. A phone number may not refer to *A* phone, but maybe multiple phones. Or hijacked along the way (including the phone itself).

Google's switched to the Google Authenticator app, so while they can use SMS, it's a legacy thing.

Anyhow, this isn't true two factor authentication. You're really just using another password to log in - either use your site login, or log into facebook to change it if you forget it. There is no second factor in play (what you know, what you are, what you have). You either know the site password, or your facebook password.

This is more along the lines of Wish it Was Two Factor.