Twitter looking to hire two-factor authentication brains

Filed Under: Celebrities, Featured, Hacked, Nude Celebrities, Twitter

Twitter birdJust a few days after Twitter reset passwords and revoked session tokens for 250,000 possibly hacked user accounts, the king of social media succinctness has apparently moved to implement two-factor authentication.

The Guardian picked up on the move after spotting this help-wanted ad for a software engineer in product security.

Twitter says, if you like to code and if you like security, do they have the perfect position for you!

The position is asking for someone who will "design and develop user-facing security features, such as multifactor authentication and fraudulent login detection".

Two-factor authentication requires users to enter a per-transaction or per-session code. In essence, a disposable, single-use password.

It's one small extra step for users, but it's one big headache for cyber trespassers.

Twitter job advert

Twitter will be in good company.

Google, for one, already offers two-step authentication.

For its part, Dropbox rolled it out in trial form in August.

Dropbox's move followed spam pollution spread by the toxic use of the same password on multiple sites (a Dropbox employee being implicated in this basic password sin, which led to the staffer's account being shaken down for many email addresses).

Facebook's also on the two-factor bandwagon. Kind of. Sort of.

As Graham Cluley noted in the fall, Facebook is more and more grabby as it pursues users' phone numbers.

Login button, courtesy of ShutterstockIt's gone so far as to force many users to enter their mobile numbers for authentication when they create an account, or as a security check in the case of suspicious activity. Which is two-factorish, albeit in a fashion that seems a trifle arbitrary and self-serving.

And then again there's PayPal, which uses two-factor authentication if you stump up the cash for it.

That is, sometimes PayPal requires you to enter in your ever-changing token code.

Except, well, you know, if it sends a one-time weblink to your email address, asks you for two secondary passwords (aka security questions, or passwords by another name), and then lets you log in without your token code, as happened to Sophos expert Troy Cunningham.

As far as Twitter's anticipated move goes, it would be nice if the company did it in a consistent, bolted-down way, instead of taking missteps as many other companies have.

If Twitter does manage to do it right, big brand names would be wise to adopt two-factor authentication as soon as it's available, so as to avoid some of the truly embarrassing account takeovers we've seen befall certain companies, such as:

...whose accounts have either been hacked or who would love to have their constituents believe their accounts were hacked, given how embarrassingly pink and fleshy some of those tweets can be.

Will Twitter two-factor authentication stem the tide of woebegone Twitter hacking victims, be they true or fictional accounts?

Perhaps. But not to worry: the intertubes will always find new ways to keep us entertained, Twitter hacks or no.


Login button, courtesy of Shutterstock

, ,

You might like

7 Responses to Twitter looking to hire two-factor authentication brains

  1. Lisa Vaas · 562 days ago

    Thanks to Attila for pointing out that there seems to be no clear correlation between the hack and the ad, given that it was placed before the hack was made public. Of course, who knows about the time lag between whenever Twitter discovered the hack and when it went public about it, but the timeline of ad placing/hack knowing is all unknowable (outside of Twitter), so a direct correlation can't be made.

  2. Andrew · 562 days ago

    What about people that don't have a mobile phone, how will they receive the single use codes?

    • Tony · 561 days ago

      My bank allows for 2FA that will send a voice message to a regular home or office phone number.

    • David Pottage · 561 days ago

      The 2FA systems used on Google & Dropbox are optional. (but recomened). If you don't have a smartphone, then you can still use their services, but with less security.

      In any case, I think most of the target demographic for twitter have smartphones.

      I just hope that Twitter build a system using Google Authenticator. It is open source, looks to be well desined and is cheap and easy to deploy to any costomer with a smartphone. While it may be theoreticaly weaker than a dedicated hardware token. (Malware on the smartphone could extract key materal), in pratice the benifits of wide deployment would outweigh that small risk.
      http://en.wikipedia.org/wiki/Google_Authenticator

  3. Mike · 560 days ago

    Sounds like Twitter never had much of a security department before the hack. Kind of like backups - nobody cares until they get burned, and then it's a let's fix this right now mentality

  4. catannea · 549 days ago

    I had this sort of "security" at my bank once.
    Then I needed to send an emergency deposit to a child.
    And there was no mobile signal in my village.
    I cancelled that service.
    Two days later the one-time pin code reached my mobile phone.
    Useless.

    • Paul Ducklin · 549 days ago

      I'm not a big fan of phone-based (SMS) token authentication either.

      There's your reason, namely that SMS delivery isn't guaranteed. (I've had SMSes arrive up to 48 hours late - rarely, I admit, but it has happened - even in major metro areas.)

      The second reason is that SMS authentication is only as secure as your phone number. A crook who can trick your phone company into shifting your number to a new phone (a process known as "porting," at least in the Australian vernacular I am used to) then has a window of opportunity to drain your account. *Your* phone is dead, so you can't call and complain or alert the bank. *His* phone collects your tokens.

      It happens:

      http://nakedsecurity.sophos.com/indian-two-factor...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.