X

Facebook moves ahead with account recovery for any site

Soon, you'll be able to get back into accounts on multiple sites using Facebook instead of email for recovery. Facebook releases the tool at its F8 event.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
2 min read
screen-shot-2017-01-30-at-12-19-45-pm.png

In January, GitHub started letting people recover account access via Facebook. More companies can start using the tool as of Tuesday.

Screenshot by CNET

When you forget a password, usually the first option is to reset it through your email account. Facebook wants to change that.

The company is developing a way to recover access to many of your online accounts through Facebook instead. On Tuesday, Facebook released software that any service with online accounts -- whether it's your bank, a retailer or your favorite fan-fic website -- can use to let you recover access through your Facebook account.

The announcement came during F8, Facebook's annual developers conference. The software pushes forward the company's plan, first announced in January, to move into the account recovery game. Facebook is calling its approach "delegated account recovery," and Facebook security engineer Brad Hill said in a blog post Tuesday that it's safer than using your email account.

Email was "not originally designed to be a secure system, and despite countless updates over the years, major challenges remain," Hill said.

Software collaboration site GitHub has been letting people recover access to their accounts via Facebook since January. On Tuesday, Facebook released the software that will enable more companies to try this approach. Once companies build the tool into their websites, they can apply to be part of Facebook's beta program for account recovery.

Here's how Facebook will handle account recovery: First, you realize you've forgotten the password to your bank account, for example, so you click the "forgot my password" link on your bank's login page. Instead of being prompted to enter your email address, Facebook will take you through a series of prompts to check your identity based on what it knows about you through your Facebook account.

Then it sends your bank a digital token that confirms you are who you say you are. The token is encrypted so only the service you're trying to log in to can read it. Now, you're logged back in to your bank account and you can set a new password.

Why is this safer? For one thing, if your email password is stolen or leaked in a data breach, hackers could use that access to reset passwords on all your other accounts. What's more, those emails with links to reset your passwords can be read by all the software programs that scan your email for viruses, spam and ad keywords, Hill said in his blog post. That could expose those links to hackers.

Facebook is also planning to release its tools as an open-source project. So soon you may be able to log back in to your bank account using any number of other accounts.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Special Reports: CNET's in-depth features in one place.