Sophos Cloud Optix
Just a few days after Twitter reset passwords and revoked session tokens for 250,000 possibly hacked user accounts, the king of social media succinctness has apparently moved to implement two-factor authentication.
The Guardian picked up on the move after spotting this help-wanted ad for a software engineer in product security.
Twitter says, if you like to code and if you like security, do they have the perfect position for you!
The position is asking for someone who will “design and develop user-facing security features, such as multifactor authentication and fraudulent login detection”.
Two-factor authentication requires users to enter a per-transaction or per-session code. In essence, a disposable, single-use password.
It’s one small extra step for users, but it’s one big headache for cyber trespassers.
Twitter will be in good company.
Google, for one, already offers two-step authentication.
For its part, Dropbox rolled it out in trial form in August.
Dropbox’s move followed spam pollution spread by the toxic use of the same password on multiple sites (a Dropbox employee being implicated in this basic password sin, which led to the staffer’s account being shaken down for many email addresses).
Facebook’s also on the two-factor bandwagon. Kind of. Sort of.
As Graham Cluley noted in the fall, Facebook is more and more grabby as it pursues users’ phone numbers.
It’s gone so far as to force many users to enter their mobile numbers for authentication when they create an account, or as a security check in the case of suspicious activity. Which is two-factorish, albeit in a fashion that seems a trifle arbitrary and self-serving.
And then again there’s PayPal, which uses two-factor authentication if you stump up the cash for it.
That is, sometimes PayPal requires you to enter in your ever-changing token code.
Except, well, you know, if it sends a one-time weblink to your email address, asks you for two secondary passwords (aka security questions, or passwords by another name), and then lets you log in without your token code, as happened to Sophos expert Troy Cunningham.
As far as Twitter’s anticipated move goes, it would be nice if the company did it in a consistent, bolted-down way, instead of taking missteps as many other companies have.
If Twitter does manage to do it right, big brand names would be wise to adopt two-factor authentication as soon as it’s available, so as to avoid some of the truly embarrassing account takeovers we’ve seen befall certain companies, such as:
- BP, whose official Twitter account was hijacked by hackers who used it as a platform to joke about the company’s attempts to stem the devastating oil leak that polluted the Gulf of Mexico in 2010,
- The New York Times, whose hacked fashion blog in 2009 was used to pimp “FREE webcam girls/guys doing anything you ask them”; or even
- Brand names in the form of celebrities: Lindsay Lohan, Axl Rose, Kim Kardashian, Anthony Weiner, or Britney Spears…
…whose accounts have either been hacked or who would love to have their constituents believe their accounts were hacked, given how embarrassingly pink and fleshy some of those tweets can be.
Will Twitter two-factor authentication stem the tide of woebegone Twitter hacking victims, be they true or fictional accounts?
Perhaps. But not to worry: the intertubes will always find new ways to keep us entertained, Twitter hacks or no.
Login button, courtesy of Shutterstock
Thanks to Attila for pointing out that there seems to be no clear correlation between the hack and the ad, given that it was placed before the hack was made public. Of course, who knows about the time lag between whenever Twitter discovered the hack and when it went public about it, but the timeline of ad placing/hack knowing is all unknowable (outside of Twitter), so a direct correlation can't be made.
What about people that don't have a mobile phone, how will they receive the single use codes?
My bank allows for 2FA that will send a voice message to a regular home or office phone number.
The 2FA systems used on Google & Dropbox are optional. (but recomened). If you don't have a smartphone, then you can still use their services, but with less security.
In any case, I think most of the target demographic for twitter have smartphones.
I just hope that Twitter build a system using Google Authenticator. It is open source, looks to be well desined and is cheap and easy to deploy to any costomer with a smartphone. While it may be theoreticaly weaker than a dedicated hardware token. (Malware on the smartphone could extract key materal), in pratice the benifits of wide deployment would outweigh that small risk.
http://en.wikipedia.org/wiki/Google_Authenticator
Sounds like Twitter never had much of a security department before the hack. Kind of like backups – nobody cares until they get burned, and then it's a let's fix this right now mentality
I had this sort of "security" at my bank once.
Then I needed to send an emergency deposit to a child.
And there was no mobile signal in my village.
I cancelled that service.
Two days later the one-time pin code reached my mobile phone.
Useless.
I'm not a big fan of phone-based (SMS) token authentication either.
There's your reason, namely that SMS delivery isn't guaranteed. (I've had SMSes arrive up to 48 hours late – rarely, I admit, but it has happened – even in major metro areas.)
The second reason is that SMS authentication is only as secure as your phone number. A crook who can trick your phone company into shifting your number to a new phone (a process known as "porting," at least in the Australian vernacular I am used to) then has a window of opportunity to drain your account. *Your* phone is dead, so you can't call and complain or alert the bank. *His* phone collects your tokens.
It happens:
http://nakedsecurity.sophos.com/indian-two-factor…