Twitter is aiming to improve security for its users with an improved two-factor log-in verification system that goes beyond the SMS-based system that the company first deployed two months ago. Security experts eWeek spoke with have mixed opinions on whether Twitter’s latest attempt at user security will really make a difference.
Two-factor authentication refers to a site’s or service’s requirements for a second password or token in order to gain access. The idea is that a single username and password combination can potentially be breached, but adding in the second factor for authentication, increases the complexity and reduces the risk. Typically, two-factor authentication systems use a randomly generated password that is time-based, in order to make the log-in more secure.
Twitter first implemented two-factor authentication in May, after the accounts of a number of high-profile media users were exploited. The initial May implementation relied on users receiving a Short Message Service (SMS) text on their smartphones in order to provide the two-factor log-in verification.
Now, Twitter is enabling both Apple iOS and Google Android smartphone users to leverage their existing Twitter apps for the two-factor log-in verification process. With the new system, Twitter users enroll their smartphone apps in the log-in verification process with a simple settings box checkmark. Once that’s done, whenever a browser-based log-in request comes in, the mobile Twitter app becomes the control point from which the user can approve access.
If the users lose or forget their phones, Twitter also now has a backup log-in verification code, that users are prompted to print and store, that can be used as well.
The new app-based approach is being positively received by some security professionals.
“It is smoother from a user perspective as one does not have to enter the confirmation code on the Web page anymore, and it is safer because it uses a cryptographic protocol to transmit the codes,” Wolfgang Kandek, CTO of Qualys, told eWeek. “It also provides more information to the user, i.e., somebody is trying to log in from Menlo Park for me yesterday, pretty close as I was in Redwood City, which helps correlate the request.”
Tommy Chin, technical support engineer at CORE Security, is also optimistic about the new approach, especially in contrast with the previous SMS-based method for log-in verification.
“SMS messages can easily be stolen and intercepted by Trojan software that silently runs on the phone, if a phone is compromised,” Chin told eWeek. “These text messages can also be read in plain text by mobile network operators in a few places.”
With the new implementation, the only method of breaking into an account is to actually steal a phone, Chin said. “The ability to verify a log-in on a phone is pretty cool,” he added. “I believe that this implementation will cause a new rise in phone thieves who have very good pickpocketing skills.”
Google Authenticator
Twitter isn’t the first or the only major online service to offer two-factor authentication. Google with its Google Authenticator Mechanism has been offering a somewhat similar app-based approach for several years. With Google Authenticator, Google users employ the mobile app to obtain the two-factor code, which is then entered into the browser to grant access.
Twitter Gives Two-Factor Security a Second Shot
Unlike Google Authenticator, Twitter’s new log-in verification, creates a dependency on the data capability of the smartphone, Qualys’ Kandek said, adding that while Google Authenticator locally generates its password codes, Twitter receives information over the Web.
Google Authenticator is also an extensible platform that multiple other services use.
“I now have Google authenticator for my WordPress, Lastpass and my Linux machine at home beyond my normal Gmail accounts,” Kandek said.
Twitter’s log-in verification is a little easier to use, Ken Pickering, director of engineering at CORE Security, said. With Twitter, the log-in verification is within the application itself, whereas Google still requires users to switch back and forth between apps to see the second factor. The extra step with Google is potentially a hurdle in getting users to adopt two-factor authentication, Pickering told eWEEK.
Jamie Cowper, senior director at Nok Nok Labs, told eWeek that although the underlying technology is different in Twitter’s new log-in verification, the end-user experience is similar to Google Authenticator.
“The problem remains that users are looking to use their mobile devices as the main platform, rather than an additional factor, so usability remains a challenge,” Cowper said. “All of these solutions aren’t designed for the mobile first experience.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.