With social networks coming under increasing pressure to improve security as a result of the vulnerabilities, ease of hacking and consequences of breaches, Twitter has opted for two-factor authentication technology (2FA) as a means of strengthening its access control.
Currently, a username and password are all that are required to access Twitter and this is easily compromised. 2FA addresses this by adding another factor. A randomly generated code, a physical token and biometrics are examples of technologies used as the second factor and Twitter has opted for a code transmitted to the user by SMS. This is the simplest method of deploying 2FA to the masses. Physical tokens are expensive, biometrics are difficult in terms of enrollment and random code generators (as used by banks) are also costly.
Security company ESET is pleased with the introduction of 2FA at Twitter as reflected in the comment by the company's technical team leader, Mark James:
“Twitter has been under pressure to improve authentication for some time. The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. If two-factor authentication had been in place before, the Syrian Electronic Army hacks simply would not have been successful. The fact it has taken Twitter so long to wake up to this is actually quite shameful.
“Better late than never though, and a job listing posted in February suggests Twitter has been seeking software engineers to develop “user-facing security features, such as multifactor authentication and fraudulent login detection” for some months. It’s good news for all Twitter users that we will finally now see this come into play.”
Kaspersky Lab also believes that strengthening access control to twitter is a good thing but the company's Senior Security Researcher, David Emm, believes that while two-factor authentication will make it harder for accounts to be hijacked, there are some potential pitfalls with the new approach. He commented:
“Twitter’s use of two-factor authentication should be welcomed with open arms. Two- factor authentication makes it difficult for someone to hijack an account, by adding another method of validation. To date a static password has been the only thing securing Twitter accounts, and all toO often these are easy to guess.
“It’s easy to see why Twitter has chosen to use SMS as the second authentication method. Nearly everyone today has a mobile phone, so this method doesn’t require people to carry around an extra token or device that generates the one-time passcode. Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers.
“However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn’t require login credentials to be entered each time. This means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication.
“Also, it is possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code. We have already seen similar malware designed to steal mTAN numbers for banking transactions and examples include ZitMo (ZeuS-in-the-Mobile).”