Twitter Deploys Two-Factor Authentication to Protect User Accounts

After a spate of high-profile compromises, Twitter announced it is rolling out a new way for users to better protect their accounts from hijacking.

Twitter is imposing two-factor authentication to bolster account security in view of recent high-profile breaches affecting Twitter as well as media organizations around the world.

In response to the attacks, Twitter announced Wednesday it is rolling out a form of two-factor authentication to provide extra security for users. The new "log-in verification" feature will serve as a second check to make sure users are who they say they are, explained Jim O'Leary, of Twitter's product security team. As part of the feature, users will be asked to register a verified phone number and email address with Twitter.

"Every day, a growing number of people log in to Twitter," he blogged. "Usually these log-in attempts come from the genuine account owners, but we occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the Web."

"After you enroll in log-in verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS [Short Message Service] each time you sign in to," he explained.

The change follows a spate of attacks against the Twitter feeds of news organizations such as the Financial Times and BBC. In April, a Twitter account belonging to the Associated Press was compromised and used to send out a fake tweet claiming that there had been two explosions at the White House and that President Barack Obama had been injured. The fake report was credited with causing a brief fluctuation in the financial markets.

In February, Twitter was forced to reset the passwords of 250,000 users after a breach was discovered and hackers were caught trying to access user data. Despite being able to shut down a live attack, the company believed attackers may have gotten limited access to user information, such as user names, email addresses and encrypted/salted passwords.

With two-factor authentication, users will have an extra degree of protection against attackers trying to compromise their accounts, O'Leary explained. Users can enable the feature through the "account settings" page.

"With log-in verification enabled, your existing applications will continue to work without disruption," he blogged. "If you need to sign in to your Twitter account on other devices or apps, visit your applications page to generate a temporary password to log in and authorize that application."

"Of course, even with this new security option turned on, it’s still important for you to use a strong password and follow the rest of our advice for keeping your account secure," he added.

Ken Pickering, development manager of security intelligence at penetration testing firm Core Security, called the move by Twitter a big step—even if it’s overdue.

"A successful attacker would now need access to your password and your cell phone instead of basic password-cracking software, but the hard part is convincing people to use it," he said.

"Google and Facebook have been using two-factor authentication for a while and I have yet to see widespread adoption," he added. "If you care at all about the security of these social networks, you should be using two-factor authentication. As long as everyone does, we'll be in a much better position."