Twitter looking to hire two-factor authentication brains


Twitter birdJust a few days after Twitter reset passwords and revoked session tokens for 250,000 possibly hacked user accounts, the king of social media succinctness has apparently moved to implement two-factor authentication.

The Guardian picked up on the move after spotting this help-wanted ad for a software engineer in product security.

Twitter says, if you like to code and if you like security, do they have the perfect position for you!

The position is asking for someone who will “design and develop user-facing security features, such as multifactor authentication and fraudulent login detection”.

Two-factor authentication requires users to enter a per-transaction or per-session code. In essence, a disposable, single-use password.

It’s one small extra step for users, but it’s one big headache for cyber trespassers.

Twitter job advert

Twitter will be in good company.

Google, for one, already offers two-step authentication.

For its part, Dropbox rolled it out in trial form in August.

Dropbox’s move followed spam pollution spread by the toxic use of the same password on multiple sites (a Dropbox employee being implicated in this basic password sin, which led to the staffer’s account being shaken down for many email addresses).

Facebook’s also on the two-factor bandwagon. Kind of. Sort of.

As Graham Cluley noted in the fall, Facebook is more and more grabby as it pursues users’ phone numbers.

Login button, courtesy of ShutterstockIt’s gone so far as to force many users to enter their mobile numbers for authentication when they create an account, or as a security check in the case of suspicious activity. Which is two-factorish, albeit in a fashion that seems a trifle arbitrary and self-serving.

And then again there’s PayPal, which uses two-factor authentication if you stump up the cash for it.

That is, sometimes PayPal requires you to enter in your ever-changing token code.

Except, well, you know, if it sends a one-time weblink to your email address, asks you for two secondary passwords (aka security questions, or passwords by another name), and then lets you log in without your token code, as happened to Sophos expert Troy Cunningham.

As far as Twitter’s anticipated move goes, it would be nice if the company did it in a consistent, bolted-down way, instead of taking missteps as many other companies have.

If Twitter does manage to do it right, big brand names would be wise to adopt two-factor authentication as soon as it’s available, so as to avoid some of the truly embarrassing account takeovers we’ve seen befall certain companies, such as:

…whose accounts have either been hacked or who would love to have their constituents believe their accounts were hacked, given how embarrassingly pink and fleshy some of those tweets can be.

Will Twitter two-factor authentication stem the tide of woebegone Twitter hacking victims, be they true or fictional accounts?

Perhaps. But not to worry: the intertubes will always find new ways to keep us entertained, Twitter hacks or no.

Login button, courtesy of Shutterstock