Networking

10:36 AM
50%
50%

Twitter's Two-Factor Authentication: 5 Reasons To Avoid

Two-step verification system has no provision for backup access or lost phones, doesn't address public username problem.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Beware using Twitter's new, voluntary two-factor authentication system.

The long-awaited system, which launched last week, sends a six-digit numeric code via SMS to a user's registered mobile phone number. The code must be used to log into a Twitter account.

Surely, any Twitter security control improvements are good news, right? Unfortunately, early feedback has been less than positive. "Twitter's first run at this just seems like a hot mess," tweeted Sean Sullivan, security adviser at F-Secure Labs, citing usability and recoverability issues.

[ Why do bad things happen to good companies? Read Data Breaches: 8 Most Common Causes. ]

Accordingly, weigh these five related problems before deciding to activate the new security feature:

1. Don't Lose Your Mobile Phone

What happens if Twitter users lose their mobile phone and can't receive the SMS credential? So far, the answer doesn't look good: Twitter's password-reset system still requires a user who has activated two-factor authentication to enter an SMS-sent PIN code before being allowed to change the password. Unlike Google, which lets users print out one-time codes -- in the event that their mobile phone is lost or stolen, or they're traveling and don't have cellular network connectivity -- Twitter offers no backup approach.

2. The System Doesn't Allow Activations For Incompatible Carriers

Not all carriers' networks are compatible with Twitter's two-step verification feature. Twitter has said compatibility will increase over time.

But some two-step verification users have reported being able to add two-factor authentication to their account, but then not receiving the SMS PIN code they needed to access their account, because their mobile telecom carrier doesn't yet support Twitter's system. In other words, they've locked themselves out of their Twitter account.

Getting stuck in that situation is possible because of Twitter's two-step-verification setup process, which asks a user to click yes/no on whether they've received a confirmation SMS from the company to confirm that their carrier is compatible with the system. But if a user incorrectly or accidentally selects "yes" but hasn't actually received the verification SMS, then their account will be secured using a credential they can't receive. In other words, they'll need to contact Twitter's support team and prove who they are in order to try to deactivate the two-factor authentication and regain access to their account.

A simple, well-known fix would prevent these types of situations from happening. "You shouldn't be able to [activate] SMS 2-factor w/ entering a code send via SMS," tweeted Sullivan. The fact that Twitter didn't opt for that approach -- as many other businesses offering two-factor authentication have done -- suggests Twitter's two-step verification effort is a rush job.

3. One Mobile Phone Secures Only One Account

People with more than one Twitter account must also decide which single account to protect using two-step verification, unless they also have more than one mobile phone number. That's because Twitter allows a mobile phone number to be associated with only a single Twitter handle. As software architect Troy Hunt tweeted: "Looks like you can only do Twitter 2FA with one account per mobile number. That totally sucks." For comparison's sake, authenticator apps from Google and Microsoft allow one-time codes to be generated for any number of registered accounts, and many SMS-based services allow the same mobile phone number to be used with more than one account.

4. For Group Accounts, No Syrian Electronic Army Defense

Twitter's login security model has been criticized after a rash of online account takeovers, including the Syrian Electronic Army's hoax Associated Press tweet claiming that President Obama had been injured in White House bomb blasts.

The new two-step verification feature won't block group account takeovers of media outlets' Twitter feeds, because one account must be tied to one mobile phone number. "TFA isn't going to help these companies, because they can't all access the same phone at the same time," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

"Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to 'own' the phone -- and share the six-digit code with journalists as they try to log in to share breaking news stories," Cluley said. Given those kludgy workarounds, "many media organizations may choose not to enable Twitter's additional security at this time," he said.

5. Public Usernames Undermine Twitter Security Model

Twitter's two-step verification, according to F-Secure's Sullivan, also hasn't addressed the fact that Twitter usernames are the same as public account handles. "Applying 2-factor to an endpoint that is publicly known just seems like a huge hassle for the average user," Sullivan tweeted.

Instead, he has argued, Twitter should implement a system whereby usernames are no longer the same as a person's Twitter handle. That way, handles can be public but usernames and passwords can be kept secret. Until that happens, Sullivan tweeted, "adding 2-factor authentication to a leaky 'social' ship seems like putting the cart in front of the horse."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
5/28/2013 | 6:45:34 PM
re: Twitter's Two-Factor Authentication: 5 Reasons To Avoid
You forgot Number 6: No option for people who do not have a cell phone. Maybe Twitter has 'active cell phone' listed as prerequisite now.
revbradl
50%
50%
revbradl,
User Rank: Apprentice
5/28/2013 | 8:35:46 PM
re: Twitter's Two-Factor Authentication: 5 Reasons To Avoid
Thanks for this informative article. I had just enabled the Two-Factor Twitter option, but clearly didn't think through the implications. After reading this article, I've gone back in and unchecked the option.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
5/30/2013 | 11:48:21 PM
re: Twitter's Two-Factor Authentication: 5 Reasons To Avoid
I'm more paranoid about getting locked out of my own accounts than I am about getting hacked.
nzakir
50%
50%
nzakir,
User Rank: Apprentice
6/13/2013 | 7:06:39 AM
re: Twitter's Two-Factor Authentication: 5 Reasons To Avoid
I reached here while searching for methods to regain access to my account. I am stuck with situation no. 1, I recently relocated to a different country and don't have cellular coverage on my old phone number. I can't find any way to contact twitter support either. Please share if you come up with some solution.
Kuan
50%
50%
Kuan,
User Rank: Apprentice
6/24/2013 | 8:24:25 PM
re: Twitter's Two-Factor Authentication: 5 Reasons To Avoid
There's another reason to avoid this - if you give your mobile number to Twitter for authentication, they can send you marketing texts and allow others to find you on Twitter who know your number - see http://blog.kuan0.com/2013/06/...
MatthewR050
50%
50%
MatthewR050,
User Rank: Apprentice
9/17/2013 | 3:44:54 AM
re: Twitter's Two-Factor Authentication: 5 Reasons To Avoid
seems to be no way to get support from twitter either... my phone was damaged and I had to get it replaced. Goodbye twitter
Hot Topics
13
White-Box Switches: Are You Ready?
Tom Hollingsworth 7/28/2014
7
Understanding IPv6: Link-Local 'Magic'
Denise Fishburne, Cisco Champion,  7/24/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed