Moving Account Recovery beyond Email and the "Secret" Question

Managing a lost password or other credential is a problem every application must contend with, but which remains the most neglected part of account lifecycle management. Best common practice has failed to advance beyond the choices of “security” questions, emailed password reset links, or SMS-delivered codes. Federated Identity systems solve some problems but are economically unacceptable in many situations to both users and platforms. This talk introduces a lightweight, purpose-built, and self-assembling protocol with a prototype implementation by Facebook. It allows users to recover account access at any service using whatever other service(s) are best able to re-authenticate them. The design is focused on user choice and privacy and avoids asking people to bargain with their personal information to obtain this basic necessity of online life. It also presents the opportunity to build recovery capabilities for end-to-end encryption keys that meet the needs and abilities of ordinary humans.