Facebook has been busy boosting up its security systems with the company quite recently implementing support for U2F security keys on its website. Now, the company is looking towards the future of second-factor authentication as it has begun trials for a new system called "Delegated Recovery".
In essence, Delegated Recovery works much like any other two-factor authentication (2FA) method currently available. The difference between traditional phone-based 2FA or physical token-based 2FA is that Delegated Recovery stores your digital tokens on a third-party account that the user owns instead.
For example, say you were to lose your handphone and/or security key. The lost of these two devices would usually mean that you will be unable to gain access to your 2FA-activated account until you’ve contacted the customer support.
With Delegated Recovery, you’ll still be able to access your account as Facebook has stored the security tokens needed to unlock your account. Furthermore, all tokens are encrypted, meaning no one, not even Facebook, will be able to read the information stored in the token.
Facebook will be rolling out Delegated Recovery in a limited capacity to GitHub as part of the company’s bug bounty program. During this trial period, Facebook is looking to acquire feedback from security researchers as well as its own bug bounty members in order to fine tune the feature.
Additionally, Facebook has also published the source code for Delegated Recovery on the company’s own GitHub page, allowing anyone to implement the system on their own websites if they choose to do so.