Back in May 2013, Twitter first added a two-factor authentication capability to its service, relying on SMS to deliver a six-digit log-in code. Now, after four and a half years, Twitter is adding new options, announcing on Dec. 20 that its 2FA approach will support third-party tools.
Twitter calls its 2FA approach “log-in verification,” and it provides a second layer of authentication and protection for Twitter accounts. Rather than just needing a username and a password to get access to an account, 2FA approaches require a second password that is randomly generated by a secondary device or a service like SMS.
“We’re rolling out an update to login verification,” the official Twitter Safety account wrote in a message. “You’ll now be able to use a third party app for two-factor authentication instead of SMS text messages.”
With the change, Twitter users can now use a third-party authenticator app, such as Google Authenticator, Authy or Duo Mobile, instead of SMS. The apps can be installed on iOS or Android devices, and, once users enable the log-in verification option, they generate one-time passwords to authenticate and log into Twitter.
“Making stronger authentication available to better protect users is always the right move,” Kyle Lady, senior R&D engineer at Duo Security, told eWEEK. “2FA adoption has gradually been picking up steam with the general public, and we foresee a day when it will become common practice with all online accounts.”
SMS
There are several reasons why it’s important that Twitter look beyond SMS for its 2FA approach. Using SMS for 2FA has a number of security disadvantages and isn’t considered to be the best approach, according to the U.S. National Institute of Standards and Technology (NIST). In July 2016, NIST updated its Digital Authentication Guidelines, suggesting that SMS-based 2FA isn’t secure and should not be used.
Lady, however, said SMS-based two-factor authentication is more secure than not having any 2FA at all. If there is mass adoption of SMS-based 2FA, it will end up protecting more people even if it is technically a less secure mechanism because it raises the bar for an attacker from merely phishing or guessing to also having to attack phone companies, he said.
“This is similar for when we look at mobile screen locks,” Lady said. “While some will say fingerprint or facial recognition is less secure—it’s easier—therefore more people will enable it versus a passcode. In other words, SMS-based two-factor authentication is better than customers using no two-factor authentication at all.”
That said, Lady noted that using a cryptographically secure approach, such as a phone app or hardware security keys like U2F (Universal Second Factor) tokens, does provide more account security. However, he said that a lack of consumer adoption of these approaches means that only offering them may result in users just turning 2FA off altogether.
“Ultimately, whether phone-based authentication is sufficiently secure depends on the sophistication and motivation of the attackers that the user, or their administrator, wants to protect against,” he said.
To get started with 2FA on Twitter, follow the detailed instructions on how to enable log-in verification for user accounts using either SMS or with third-party apps.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.