1. Home
  2. Forums Index
  3. Social Media / Facebook Marketing and Meta Platforms Forum 5:53 am May 3, 2026

Forum Moderators: not2easy

Message Too Old, No Replies

Facebook: Account Security Improvements With Delegated Recovery

         

engine

4:52 pm on Jan 31, 2017 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Facebook continues moving towards improving account security and it's latest announcement is a limited trial of Delegated Recovery and it lets you associate your Github account with your Facebook account.

You'll need to set up this method in advance by saving a recovery token with your Facebook account. A recovery token is encrypted so Facebook can't read your personal information. If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature. Facebook doesn't share your personal data with GitHub, either; they only need Facebook's assertion that the person recovering is the same who saved the token, which can be done without revealing who you are.
This can happen in just a few clicks in your browser, all over HTTPS. Facebook: Account Security Improvements With Delegated Recovery [facebook.com]


New and improved two-factor lockout recovery process [githubengineering.com]

bill

2:39 am on Feb 1, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The general explanation looks like it would work on the surface and appears secure. It seems to take the trust factor element out of using Facebook to hold this data. I'm not sure I would trust it just yet, but would be interested to hear from anyone who takes advantage of it.

engine

11:50 am on Feb 1, 2017 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Technically, it's a good idea if implemented correctly, but, as you suggest, trust is always going to be an issue.

It makes me wonder if Facebook is manoeuvring to become some kind of security mechanism to the wider industry in a way that Google accounts are to its own offerings. Perhaps Google missed a trick here.

bill

10:20 pm on Feb 1, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I've read people describing this as just another form of 2FA. Looking at it in that light might describe this more clearly to those who might not understand what's happening here. Your second factor here isn't an insecure SMS message to your phone, but a token stored in your Facebook account. That Facebook account would also need to be compromised to work around this.

Google and others have tried to do similar to this with their single sign on, OAuth schemes, but there are ways around this as well. This method seems like it could be a bit more secure.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Social Media / Facebook Marketing and Meta Platforms Forum 5:53 am May 3, 2026