"Facebook has published a specification [...] the specification allows website and app programmers to push their account recovery mechanism onto an established, trusted provider"
ROFL
Facebook has published a specification for providing secure and reliable account recovery in websites and applications. Recovering access to accounts is, judging from our article archives, too easy for developers to screw up: passwords are stored in plain text, security questions can be guessed or bypassed, and so on. In his …
Well, if you compromised someone's FB account, you can then compromise their GitHub - just like if you compromise someone's Gmail, you can compromise their GitHub by reseting the password. This is why you have two-factor auth on your GitHub account. And all accounts.
The point of this is: who is better at writing and maintaining a secure account recovery mechanism - you or Facebook (or Google etc)? If you, then do it yourself. Otherwise, use someone else's working system instead.
Also means you don't have to store personal info stuff like mother's maiden names in your database.
C.