Twitter's Two-Factor Authentication: 5 Reasons To Avoid

Two-step verification system has no provision for backup access or lost phones, doesn't address public username problem.

Mathew Schwartz

May 24, 2013

4 Min Read
Network Computing logo

The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army: 9 Things We Know

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know

Beware using Twitter's new, voluntary two-factor authentication system.

The long-awaited system, which launched last week, sends a six-digit numeric code via SMS to a user's registered mobile phone number. The code must be used to log into a Twitter account.

Surely, any Twitter security control improvements are good news, right? Unfortunately, early feedback has been less than positive. "Twitter's first run at this just seems like a hot mess," tweeted Sean Sullivan, security adviser at F-Secure Labs, citing usability and recoverability issues.

[ Why do bad things happen to good companies? Read Data Breaches: 8 Most Common Causes. ]

Accordingly, weigh these five related problems before deciding to activate the new security feature:

1. Don't Lose Your Mobile Phone

What happens if Twitter users lose their mobile phone and can't receive the SMS credential? So far, the answer doesn't look good: Twitter's password-reset system still requires a user who has activated two-factor authentication to enter an SMS-sent PIN code before being allowed to change the password. Unlike Google, which lets users print out one-time codes -- in the event that their mobile phone is lost or stolen, or they're traveling and don't have cellular network connectivity -- Twitter offers no backup approach.

2. The System Doesn't Allow Activations For Incompatible Carriers

Not all carriers' networks are compatible with Twitter's two-step verification feature. Twitter has said compatibility will increase over time.

But some two-step verification users have reported being able to add two-factor authentication to their account, but then not receiving the SMS PIN code they needed to access their account, because their mobile telecom carrier doesn't yet support Twitter's system. In other words, they've locked themselves out of their Twitter account.

Getting stuck in that situation is possible because of Twitter's two-step-verification setup process, which asks a user to click yes/no on whether they've received a confirmation SMS from the company to confirm that their carrier is compatible with the system. But if a user incorrectly or accidentally selects "yes" but hasn't actually received the verification SMS, then their account will be secured using a credential they can't receive. In other words, they'll need to contact Twitter's support team and prove who they are in order to try to deactivate the two-factor authentication and regain access to their account.

A simple, well-known fix would prevent these types of situations from happening. "You shouldn't be able to [activate] SMS 2-factor w/ entering a code send via SMS," tweeted Sullivan. The fact that Twitter didn't opt for that approach -- as many other businesses offering two-factor authentication have done -- suggests Twitter's two-step verification effort is a rush job.

3. One Mobile Phone Secures Only One Account

People with more than one Twitter account must also decide which single account to protect using two-step verification, unless they also have more than one mobile phone number. That's because Twitter allows a mobile phone number to be associated with only a single Twitter handle. As software architect Troy Hunt tweeted: "Looks like you can only do Twitter 2FA with one account per mobile number. That totally sucks." For comparison's sake, authenticator apps from Google and Microsoft allow one-time codes to be generated for any number of registered accounts, and many SMS-based services allow the same mobile phone number to be used with more than one account.

4. For Group Accounts, No Syrian Electronic Army Defense

Twitter's login security model has been criticized after a rash of online account takeovers, including the Syrian Electronic Army's hoax Associated Press tweet claiming that President Obama had been injured in White House bomb blasts.

The new two-step verification feature won't block group account takeovers of media outlets' Twitter feeds, because one account must be tied to one mobile phone number. "TFA isn't going to help these companies, because they can't all access the same phone at the same time," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

"Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to 'own' the phone -- and share the six-digit code with journalists as they try to log in to share breaking news stories," Cluley said. Given those kludgy workarounds, "many media organizations may choose not to enable Twitter's additional security at this time," he said.

5. Public Usernames Undermine Twitter Security Model

Twitter's two-step verification, according to F-Secure's Sullivan, also hasn't addressed the fact that Twitter usernames are the same as public account handles. "Applying 2-factor to an endpoint that is publicly known just seems like a huge hassle for the average user," Sullivan tweeted.

Instead, he has argued, Twitter should implement a system whereby usernames are no longer the same as a person's Twitter handle. That way, handles can be public but usernames and passwords can be kept secret. Until that happens, Sullivan tweeted, "adding 2-factor authentication to a leaky 'social' ship seems like putting the cart in front of the horse."

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights