GitHub is adopting Facebook’s Delegated Recovery protocol to identify and work out security kinks in the new way users regain access to their accounts. Security researchers are encouraged to take part in the bounty program and uncover potential security flaws before the system becomes widely used across the internet.
Most websites and online services rely on email to recover user accounts and reset passwords. While password reset emails are ubiquitous, they aren’t very secure because of the underlying assumption that the user still has control over the email address and that the attackers haven’t already compromised the account. Security questions are no better, especially since anyone with a little time can engage in social engineering or online stalking to find answers to commonly asked security questions.
To read this article in full or to leave a comment, please click here