Shostack + Friends Blog


Account Recovery

[no description provided]

Access to an account is access to an account. A lot of systems talk about "backup" authentication, but make that backup authentication available at all times. This has led to all sorts of problems, because the idea that the street you grew up on is a secret didn't make sense even before Yahoo! "invalidated"it. Not to mention that even when answers to these questions are freeform, they tend to have only a few bits of entropy. Colors? First names? All have distributions. Then there's the ones who insist they know your answers:

United Airlines Account Recovery Questions

One of the people who's focused on really improving account recovery is Brad Hill, and at F8, Facebook announced some new tech which I think is a very useful new point in the design space.

As developers, we talk a lot about building experiences that people love. But there’s one experience that never fails to elicit a groan from people everywhere: recovering an account after forgetting your password.
Delegated Account Recovery helps people and businesses recover their accounts using the services that they trust. It is an open protocol that gives companies the ability to provide better and more secure options to their customers for regaining access to their accounts. Facebook — and other providers in the future — can help people verify who they are when they forget their password, lose their two-factor codes, or don't want to answer security questions based on personal information. ("Delegated Account Recovery Now Available in Beta.")

It's worth checking out.

And not that I'm trying to make trouble for anyone, but at what point does relying on use of a "secret" question like "street you grew up on" become the sort of unfair trade practice that garners regulatory attention? My guess is that the availability of credible alternatives brings that day closer.