Security questions and two factor authentications, sms messages and phone calls – tools of the trade when it comes about retrieving our lost passwords from online services. But that can change. Facebook and Github, which is a code sharing and publishing service, basically a social networking site for programmers unveiled a new service that solves the problem of the forgotten password.
The new service started yesterday, and it allows users who lost their GitHub login credentials to securely regain it in just a few seconds over encrypted HTTPS links. To utilize it, Facebook users have to create a GitHub recovery token in advance and save it with their Facebook account. With it they can reauthenticate to Facebook and request the token be sent to GitHub with a time-stamped signature. The communication is encrypted so none of the participants can read any personal information. After the request, the GitHub account can be recovered. This new service can eliminate the insecurity in the account recovery methods of today, like answering security questions. These questions like “What is your favorite sport?” and “What is your favorite pizza topping?” asked by United Airlines are no serious defense.
The service works only for GitHub now, but other third-party sites will join soon. The Facebook service can be rate limited, so in the event a Facebook account is hijacked, the rate limiting can be used to prevent an attacker from accessing all the third-party accounts at once.