Is "Social Delegation" The Next Factor in MFA?

Multi-Factor Authentication: Social Delegation

Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. There are three widely-accepted factors that are commonly used:

  • Knowledge - something only the user knows (like a password)
  • Possession - something only the user has (like a security fob or cell phone)
  • Inherence - something only the user is (usually biometrics like fingerprints, voice, etc.)

Increasingly, Location (where someone currently is) has been gaining traction as the fourth recognized factor in MFA. But I also wonder whether there's also a fifth factor - Social Delegation.

Social Delegation Factor

A Social Delegation factor is one that requires someone the user trusts to also authorize the request. This could be an account on some other platform or perhaps even a different user on the same platform. The critical element is that the user must have a way to securely designate trust in advance. Trust cannot be granted at the time of authorization as that would defeat the purpose of this approach.

Although access to another account could be construed as a possession factor, I think there's an important distinction: the account may not be under the direct control of the user. It could be a family member, friend, or co-worker who has the ultimate access to that account and makes the decision on whether to authorize the request.

This isn't a novel idea - some companies like Github and Facebook are already employing this type of additional factor.

Example: Github Delegated Recovery

In 2017 Github rolled out their delegated recovery feature. Github essentially generates a secure recovery token which is then stored with another trusted provider - in this case, Facebook:

Delegated account recovery

If any other factors protecting the Github account (like the password or security fob) are lost, the user can initiate recovery by proving ownership of the previously-trusted Facebook account. This is a prime example of using one trusted account to recover another. In this particular instance, the account belongs to the same individual, but that doesn't necessarily need to be the case.

There's an open specification available should you want to learn more about how this works or implement it yourself.

Example: Facebook Trusted Contacts

Facebook has a Trusted Contacts feature which allows you to re-gain access to your account using the help of your friends. To set up this feature you simply identify a handful of trusted individuals Facebook can ask to verify the request:

Facebook Trusted Contacts

The idea is that when you initiate recovery, Facebook will notify those individuals who would (hopefully) confirm the request with you in real life. A rogue actor wouldn't be able to use this method unless they could successfully impersonate you with your closest friends and family - a highly unlikely scenario.

Like the other examples here, this requires the account owner to pre-define the trusted accounts who can help them.

Example: Two-Man Rule for Nuclear Weapons

Bear with me on this one...

The US military has a two-man rule, popularized in movies and TV, where two different trusted individuals are required to confirm authorization of highly critical operations such as launching nuclear weapons:

In this example, both operators are confirming the instructions and performing actions (like turning separate, far-apart keys simultaneously) that cannot be done by a single person. While this mechanism alone doesn't prove that authentication is authorized, it does help to mitigate a single rogue actor.

This isn't a web-based technology like the other examples but it does share the same concept of placing trust in certain individuals and having them authenticate future requests.

Future Implementations

Github and Facebook are already at the forefront of implementing Social Delegation as an additional factor, but I wouldn't be surprised to see this type of factor gain more traction. I think this is especially true given the current state of online security: as more people adopt multi-factor authentication, having an alternative mechanism based around social trust which doesn't require physical equipment makes it easier to keep accounts secure and recover them should other factors be lost.

Of course this also comes with risks. What happens if trusted users conspire against the account holder? Or what if a trusted account is breached? These are important concerns that need to be carefully considered when deciding whether Social Delegation makes sense as an additional factor for particular use cases. But given that social trust is as old as society itself, I wouldn't be surprised to see more companies leverage Social Delegation to further secure user accounts.

What do you think the future of MFA is?

About Colin O'Dell

Colin O'Dell

Colin O'Dell is a Lead Software Engineer at SeatGeek. In addition to being an active member of the PHP League and maintainer of the league/commonmark project, Colin is also a PHP docs contributor, conference speaker, and author of the PHP 7 Migration Guide.