NEWS

Twitter Implements Two-Factor Authentication But Critics See Flaws

By Holly Gilbert

After a series of high-profile attacks, Twitter Inc. is implementing new security measures intended to make it harder for user accounts to be hacked. On Wednesday, the micro blogging site announced it will allow users to set their accounts to two-factor authentication, which requires a second verification step beyond the normal password.

The popular site, over which 400 million tweets are sent per day, has come under fire in recent months after accounts such as 60 Minutes and the Financial Times were hacked. In April, criticism intensified after the Associated Press's Twitter account was compromised and a tweet went out falsely claiming there were explosions at the White House and the President had been injured.

If a user wants to opt-in to the new authentication process, the person must first register their smartphone number, which will have to be verified in connection with the Twitter account. An SMS message will then be sent to the user's smartphone when the user logs in via a Web browser. The message contains a one-time, six-digit password which must be entered in addition to the normal password each time the person wants to log onto the site.

The new security measure has its limitations. On its Web site, Twitter says that users will have to individually configure each application they use to access Twitter with verification codes, such as HootSuite and TweetDeck. And the measure creates new hurdles for users who have multiple administrators. As the New York Times points out, “Twitter accounts for larger brands and news outlets are often managed by several employees, but only one employee would receive the log-in code" because there can be only one smartphone tied to the account. Other employees could presumably ask the main user for the one-time code but that could be perceived as enough of an inconvenience that it would discourage implementation of the security feature, plus--though the NYT doesn't say so--once a user with the ability to get the one-time code thinks it's okay to give it to another person, they might get fooled into giving it to a hacker impersonating a legitimate user, essentially creating the same vulnerability that is supposedly being plugged.

Moreover, two-factor authentication isn't foolproof, notes the NYT. Hackers can still launch “man-in-the-middle” attacks, which tricks two computers into thinking they are communicating with one another, when they are both actually talking to the hacker’s machine. (You can read more about these types of attacks on TrendMicro’s blog here.) Finally, the measure may not work with all phone carriers yet.

But Twitter says it isn't finished. Jim O’Leary of the Twitter product security team writes on its Web site, “much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned.”

Flickr photo by trekkyandy

Comments

View Recent News (by day)

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.