Expert Analysis

12:17 PM
50%
50%

Twitter Two-Factor Authentication: Too Little, Too Late?

Two-factor authentication is a good step. But for securing many sites, Twitter included, it's not enough.

Can you feel the two-factor fever?

Following in the footsteps of Microsoft this month, Apple in March, and Facebook and Google before them, Twitter is now testing a two-factor authentication system to make it more difficult for attackers to hijack people's accounts.

That's welcome news in the wake of Twitter account takeovers of Burger King and Jeep, not to mention the Syrian Electronic Army's media-focused takeover campaign, which to date has compromised everyone from the BBC and Reuters to National Public Radio and the Associated Press. Indeed, one fake tweet -- this week's hoax AP report that the president was injured in a White House bomb blast -- led to a temporary downturn in both the stock market and AP's Twitter-following base. It also led many social media watchers to ask: Why has Twitter been so slow to offer information security improvements?

Adding two-factor authentication to Twitter is long overdue. By the time it arrives, however, it still won't be enough to block the type of phishing attack that the Syrian Electronic Army reportedly used to compromise AP, among other types of attacks. "In the case of a phishing message, two-factor authentication would not eliminate the problem," Mark Risher, CEO of social media security startup Impermium, told The New York Times. "There are ways to circumvent this. I could create a fake Web page for Twitter and ask you to enter your user credentials." Then an attacker could use the real username, password and one-time code to access the targeted account.

[ Privacy and security issues are becoming more important. Read Education Data: Privacy Backlash Begins. }

Twitter's current security posture -- or lack thereof -- may reflect its less-is-more approach to collecting information about its users or sharing it. "To its credit, the data privacy advocates like it because it doesn't track much," said Sean Sullivan, security advisor at F-Secure Labs, speaking by phone. But this lightweight approach has downsides, for example when it comes to repelling account takeover artists. "It doesn't say, we've never seen Syrian IP addressees used to log into this account before, so we're going to block it," Sullivan said.

For comparison's sake, Facebook offers hierarchical admin roles -- so not everyone able to access a Facebook account has the right to add or change other accounts or passwords -- and it also watches for log-ins from unknown locations, based on IP address ranges. Try to log in from Syria for the first time, and even if you get the password right, certain aspects of account administration, such as being able to see your security question settings, may be disabled, so long as you're using a machine that hasn't yet been verified via an email to the address you have on file. Account holders can view active sessions -- including devices that have been used to log into the account, and log-in times -- and disable any of these sessions.

Why hasn't Twitter added similar features? "Honestly, if they created something like Twitter Pro, AP would pay for that, and they'd opt into that logging, and their accounts would be protected," said Sullivan. "And of course you don't scale that to all users, because they don't all need that."

For many people, Twitter's just a bit of fun -- a free service for channeling wit and wisdom in 140 characters or less. But then again, this isn't some local, dial-up BBS used by a few thousand people, with members inclined to laugh off defacements and hoaxes. Instead, it's become a global communications system for disseminating information about everything from Boston bombing lockdowns and disaster warnings to reporting customer service issues and public emergencies.

As more people come to rely on this system, it's time for Twitter to secure accordingly.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DPAPA282
50%
50%
DPAPA282,
User Rank: Apprentice
5/23/2013 | 10:28:23 PM
re: Twitter Two-Factor Authentication: Too Little, Too Late?
I agree with the points made in the article but to say two-factor is a waste of time is crazy...it's one measure they needed to deploy to harden their security profile... Phishing and more so Spear Phishing can be prevented with a combination of security policy and Education....the comment Mike made below is spot on regarding malware...once infected, the hacker is considered a 'trusted user' and can cause harm via breach, etc.... focus on Malware Prevention via Global Intelligence and an in-depth security posture instead of a press release around two-factor. Seems like a marketing announcement to put their users at ease which, in-turn, will cause more harm to end users.... My two cents
Mike_Acker
50%
50%
Mike_Acker,
User Rank: Apprentice
4/27/2013 | 12:25:34 PM
re: Twitter Two-Factor Authentication: Too Little, Too Late?
2 factor id is a waste of time : hackers do not attack in that manner : the preferred attack is to get malware into your computer . once that's done they just use YOUR credentials to do whatever

the real issue is in authenticating transmittals of every sort INCLUDING software updates.
Cartoon
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Slideshows
Twitter Feed