Facebook Delegated Recover: Security Saver or Power Play?
While some have called Facebook’s developing security feature a blessing, others are calling it a “walled security garden.”
No one likes getting locked out of an account, but with so many passwords floating around and so many different accounts to maintain, it’s an unavoidable part of our online lives. Usually, the method of account recovery is through our email accounts, where the account in question will send a recovery link for us to reset password.
Email As Security Key – And Crutch
There’s just one problem with this method. According to Facebook security engineer Brad Hill, email is the “single point of failure for everything you do online.” This is a bold statement, but when you look at the failure of major accounts like Yahoo’s massive security breach, it’s hard not to agree with him. Thanks to the unreliability of major providers like Yahoo, email security doesn’t have the best reputation currently.
This is a serious issue when you think of the amount of information a hacker could gain access to from the control of your email account. Consider all the other accounts they could gain access to from there. It’s a seriously chilling indictment of the way most of us are conducting security online.
Delegated Recovery
This is precisely why Facebook has released an account recovery feature for other websites called Delegated Recovery. This move takes the potential danger out of resetting your account passwords via your email. TechCrunch explained how the system works. “Facebook will let users set up encrypted recovery tokens for sites like Github, and if a user ever loses access to her Github account, she will send the stored token from her Facebook profile back to Github, proving her identity and unlocking her account. Encryption of the token provides privacy — Facebook can’t read the information stored in the token, and it won’t share information about your identity with third-party websites.”
From a security perspective, this kind of encryption token system is a great idea and far more secure than having all your sensitive information and password resets pass through the same location (your email). At present the Delegated Recovery feature is only being offered as a limited trial with Github, but it’s also part of Facebook’s bug bounty program, which invites security experts to test and locate weak spots. It is certain, though, that Delegated Recovery offers a promising alternative for the future.
Power Grab?
There are some questions about Facebook’s broader ambitions here. As TechCrunch aptly noted, “Delegated Recovery isn’t just a security feature — it’s a way for Facebook to convince users to center their online identity around their Facebook profile, rather than their email address. This is a shift as account recovery has typically revolved around the email you use to register for all your online accounts. That is then when you’ll receive a password reset email if you get locked out.”
Walled Garden
In other words, this move could be one more step in Facebook’s rather thinly veiled effort to wall in more aspects of our online lives. This wouldn’t be the first time the social media giant has been accused of created a so-called “walled garden,” or a closed ecosystem.
In this case, Facebook transfers more and more of its users data into its own walls, until it owns nearly all of their online identities. Some have said that the push is apparent in the way that Facebook bought WhatsApp and then attempted to make Messenger a distinct service to reduce our reliance on other messaging systems, and put Messenger on top.
Of course, we shouldn’t automatically assume that Facebook has sinister aims in this sense. While they do have a wealth of data that almost no other company can rival (other than Google, perhaps), features like Delegated Recovery could well be earnest efforts to improve the security of its users’ online lives. Only time will tell the long game they have in mind, but being critical and honest about what it’s necessary to take to Facebook is a necessary framework for users and critics to keep in mind.