Moving Account Recovery beyond Email and the "Secret" Question

Monday, January 30, 2017 - 9:30am10:00am

Brad Hill, Security Engineer, Facebook


Managing a lost password or other credential is a problem every application must contend with, but which remains the most neglected part of account lifecycle management. Best common practice has failed to advance beyond the choices of “security” questions, emailed password reset links, or SMS-delivered codes. Federated Identity systems solve some problems but are economically unacceptable in many situations to both users and platforms. This talk introduces a lightweight, purpose-built, and self-assembling protocol with a prototype implementation by Facebook. It allows users to recover account access at any service using whatever other service(s) are best able to re-authenticate them. The design is focused on user choice and privacy and avoids asking people to bargain with their personal information to obtain this basic necessity of online life. It also presents the opportunity to build recovery capabilities for end-to-end encryption keys that meet the needs and abilities of ordinary humans.

Brad Hill, Security Engineer, Facebook

Brad is a Security Engineer at Facebook and long term contributor to internet-scale security efforts in organizations including the W3C, FIDO Alliance, IETF and CA/Browser Forum.

@conference {201681,
author = {Brad Hill},
title = {Moving Account Recovery beyond Email and the "Secret" Question},
year = {2017},
address = {Oakland, CA},
publisher = {USENIX Association},
month = jan

Presentation Video