"Facebook has published a specification [...] the specification allows website and app programmers to push their account recovery mechanism onto an established, trusted provider"
ermm. a question.
I may not have understood the concept properly, but doesn't this just mean that if one account is compromised, it would be even easier to compromise the victoms other accounts?
Re: ermm. a question.
Well, if you compromised someone's FB account, you can then compromise their GitHub - just like if you compromise someone's Gmail, you can compromise their GitHub by reseting the password. This is why you have two-factor auth on your GitHub account. And all accounts.
The point of this is: who is better at writing and maintaining a secure account recovery mechanism - you or Facebook (or Google etc)? If you, then do it yourself. Otherwise, use someone else's working system instead.
Also means you don't have to store personal info stuff like mother's maiden names in your database.
Wow! With a mechanism like this, why would the government need a backdoor?
Just subpoena Facebook.
Facebook wants to be able to access all my other accounts? NO thank you! If only sites adopted something like OpenID I would be in control of my own authentication.