Twitter Gives Two-Factor Security a Second Shot

For the second time in as many months, Twitter is trying to secure itself and its users with a new log-in verification system.


Twitter is aiming to improve security for its users with an improved two-factor log-in verification system that goes beyond the SMS-based system that the company first deployed two months ago. Security experts eWeek spoke with have mixed opinions on whether Twitter's latest attempt at user security will really make a difference.

Two-factor authentication refers to a site's or service's requirements for a second password or token in order to gain access. The idea is that a single username and password combination can potentially be breached, but adding in the second factor for authentication, increases the complexity and reduces the risk. Typically, two-factor authentication systems use a randomly generated password that is time-based, in order to make the log-in more secure.

Twitter first implemented two-factor authentication in May, after the accounts of a number of high-profile media users were exploited. The initial May implementation relied on users receiving a Short Message Service (SMS) text on their smartphones in order to provide the two-factor log-in verification.

Now, Twitter is enabling both Apple iOS and Google Android smartphone users to leverage their existing Twitter apps for the two-factor log-in verification process. With the new system, Twitter users enroll their smartphone apps in the log-in verification process with a simple settings box checkmark. Once that's done, whenever a browser-based log-in request comes in, the mobile Twitter app becomes the control point from which the user can approve access.

If the users lose or forget their phones, Twitter also now has a backup log-in verification code, that users are prompted to print and store, that can be used as well.

The new app-based approach is being positively received by some security professionals.

"It is smoother from a user perspective as one does not have to enter the confirmation code on the Web page anymore, and it is safer because it uses a cryptographic protocol to transmit the codes," Wolfgang Kandek, CTO of Qualys, told eWeek. "It also provides more information to the user, i.e., somebody is trying to log in from Menlo Park for me yesterday, pretty close as I was in Redwood City, which helps correlate the request."

Tommy Chin, technical support engineer at CORE Security, is also optimistic about the new approach, especially in contrast with the previous SMS-based method for log-in verification.

"SMS messages can easily be stolen and intercepted by Trojan software that silently runs on the phone, if a phone is compromised," Chin told eWeek. "These text messages can also be read in plain text by mobile network operators in a few places."

With the new implementation, the only method of breaking into an account is to actually steal a phone, Chin said. "The ability to verify a log-in on a phone is pretty cool," he added. "I believe that this implementation will cause a new rise in phone thieves who have very good pickpocketing skills."

Google Authenticator

Twitter isn't the first or the only major online service to offer two-factor authentication. Google with its Google Authenticator Mechanism has been offering a somewhat similar app-based approach for several years. With Google Authenticator, Google users employ the mobile app to obtain the two-factor code, which is then entered into the browser to grant access.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.