Delegated Account Recovery

Overview

Delegated Account Recovery helps people quickly provision a way to recover access after losing a password or contact point by proving continuity of their identity at another trusted service.

Social login products like Facebook Login can solve the basic needs of account recovery, but a social login flow may not be ideal if you need to retain full control of the primary account registration and login flows for your customers, or if they are concerned about sharing personal information between services.

With Delegated Account Recovery, people can ensure they have a reliable way to regain access in extraordinary circumstances, using strongly attached accounts, without sharing personal information. It provides better security than password reset links sent by email, and helps avoid the problems caused by changing phone numbers and email addresses.

Use Delegated Account Recovery with Facebook to:

  • Streamline the provisioning of a recovery method at account creation time
  • Provide a second recovery factor for high security accounts.
  • Serve as a backup for password-less accounts that login directly through an email address or phone number contact point

Advanced Features

Unlike email, SMS, OAuth or other common recovery mechanisms, the design of Delegated Account Recovery enables some unique and useful optional features:

  • Facebook can provide a webhook callback if the recovery link between your service and a Facebook account is broken, so you can prompt the customer to establish a new way to recover
  • You can store a small amount of data in a recovery token. Facebook never has access to that data, and your service can only see it again with the user's consent. This opens interesting possibilities, like enabling recovery of data encrypted with a key that is held only by the customer.

Support for Delegated Account Recovery can be discovered with a simple HTTP query, and it requires no advance provisioning of developer accounts, terms-of-service agreements or application configuration. You can instantly use any service your customers might choose that advertises the protocol.

As of this writing, Delegated Account Recovery on Facebook is in a closed beta and only available to select partners.

How Delegated Account Recovery Works

There are three parties involved in an account recovery.

  • The User is a person with accounts at both the Account Provider and Recovery Provider.
  • The Account Provider is the site where the User has an account they need to be able to recover if they lose their password. Your service is the Account Provider when using Delegated Account Recovery with Facebook.
  • The Recovery Provider is another service that the User trusts to recover accounts elsewhere. This guide documents using Facebook as a Recovery Provider, but other services may also offer the protocol.

Establishing a recovery capability

At a high level the first phase is as follows:

  1. The User authenticates to the Account Provider, or is in the process of creating a new account there.
  2. The User chooses a Recovery Provider to use that is supported by the Account Provider.
  3. The Account Provider creates a recovery token and has the User's browser sends it to the Recovery Provider.
  4. The Recovery Provider saves the token to the User's account there and redirects back to the Account Provider.

Exercising a recovery capability

When the user actually needs to recover their account:

  1. The user tells the Account Provider they need to recover their account. The Account Provider remembers which at Recovery Provider(s) they have saved a recovery token and redirects them there.
  2. The User authenticates to the Recovery Provider. Because the Recovery Provider knows this is for an account recovery action, it may ask the user to provide additional verification before proceeding.
  3. Once the Recovery Provider is satisfied with the level of authentication of the User, it creates a new token, which includes the originally saved token from the Account Provider, and has the User's browser send it back to the Account Provider.
  4. The Account Provider validates the token is from the Recovery Provider, validates the original token it sent, and decrypts the data in the token to restore access to the User.

This diagram shows an overview of the process:

At no point in this process does the app share any personally identifying information about the user with Facebook, and Facebook also does not disclose any personally identifying information to the app. Facebook provides only a proof of the continuity of the person's identity over time, it does not have to say who the person is in order for them to recover their access.

Because Delegated Account Recovery relies on the User having an authenticated session at both services, the protocol operates in a standard web browser over the top of HTTPS. Mobile apps can use a system browser, such as a Chrome Custom Tab or Safari View Controller, to complete the protocol.