Facebook tool protects other accounts when hackers strike email

Currently, hackers with access to your email could use it to recover passwords from most of your other accounts. This tool aims to stop that.

Laura Hautala
Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials 2022 Eddie Award for a single article in consumer technology
2 min read

GitHub's account recovery page. Starting Tuesday, the site's users can use their Facebook accounts to recover access to their GitHub accounts.

What's the easiest way to hack all of your accounts at once? Through your email.

That's because once hackers have access to your Yahoo account, for example, they can go to scores of popular websites, enter in your email address, and press that link that says, "Forgot your password?" Then they go back to your Yahoo inbox and open the email that lets them reset your password. Presto -- you're hacked again.

That's the problem Facebook is hoping to solve with a new tool released Monday. It lets you add an extra layer of security when you go to recover your password, so just having access to your email account isn't enough.

You've probably heard of two-factor authentication for logging into your accounts. This is two-factor authentication for recovering access to your accounts. You'll need it once you've forgotten your password, security questions, or other login methods you'd set up.

"We need something better -- a way to recover access, using identities and services you trust, regardless of whether they are associated with an email address or a phone number," wrote Brad Hill, a security engineer for Facebook, in a blog post. Hill also presented the new tool at the Enigma cybersecurity conference happening in Oakland, California, on Monday.

The tool is part of Facebook's larger push to develop technology that will make passwords unnecessary, Hill wrote. The social media giant is in good company, as more services add extra security layers to the login process, making it harder for an intruder with just your password to get into your accounts. But for now, these layers are just that -- extra. Almost all still ask for your password first.

To use this tool, you'll have to wait for your favorite web services to implement it. Facebook released an open-source protocol that any online service can use to let you prove you are who you say you are with your Facebook account. The company also partnered with GitHub, an online repository that programmers use to collaborate on coding projects, to make the tool available to GitHub users starting Tuesday. Users can go into their account settings to look for the tool then.

Hill said at the Enigma conference that the protocol would improve on an existing solution today, OAuth. That's a protocol already used by Facebook and other major online services today, and it lets users share access to accounts without sharing their password or other login credentials. Critics have said OAuth requires an extremely knowledgeable programmer to run securely.

"Simplicity is a very important concern of mine," Hill said.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility. Check it out here.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET. You can read them here.