GitHub wants to make it easier for users to get back into their accounts after they get locked out. The company announced users can now connect their Facebook accounts with their GitHub accounts.
“This will help us recover your account for certain two-factor authentication lockout scenarios,” wrote Neil Matatall, GitHub employee, in a blog post. “For example, you may become locked out of your GitHub account because you have lost your phone or U2F key, changed phones without re-enrolling, or have otherwise lost the ability to use your phone or token without a usable backup.”
(Related: Software security needs to be Job One)
Previously, users who lost access to their phone or token would have to somehow prove their account ownership before GitHub would disable the authentication feature, Matatall explained. To do so, users would have to have access to the account’s e-mail and SSH private key.
GitHub users can set up the new recovery feature through the GitHub security settings page.
“GitHub only stores the token ID, user ID, and token state,” wrote Matatall. “Facebook only stores a token with an encrypted secret that is associated with a Facebook account and does not become valid until it’s used in a recovery. This process helps limit the impact of database dumps and SQL injection vulnerabilities without an additional compromise of the encryption and signing keys.”
Going forward, GitHub will continue to explore the best security options for its users, which may include replacing or complementing password resets in the future, Matatall explained. In addition, the company is planning to add reciprocal Facebook account recovery support.
“We think this is a great step towards a better account recovery process,” wrote Matatall. “Traditional e-mail-based recovery has flaws, transmitting secrets that grant immediate account access through many hops and clients. With this feature we can ease the pain associated with a locked out account in a way that is well defined and protects the security and privacy
