Twitter has announced the availability of two factor authentication (2FA) for its service, meaning that users can opt-in to something stronger than just a username and password to protect their accounts.
In a blog post, Twitter explains how the new security measure works.
If you decide to turn 2FA on for your Twitter account, every time you try to log into the site you will be prompted to enter a six-digit code that Twitter sends to your phone via SMS.
Here is a video Twitter released, demonstrating the feature:
So, the big question is this… is this going to help media organisations such as The Guardian, NPR, the Financial Times, and others who have found their Twitter accounts hijacked by the likes of the Syrian Electronic Army?
Sadly, I don’t think it’s going to help them at all.
Media organisations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts.
2FA isn’t going to help these companies, because they can’t all access the same phone at the same time.
Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to “own” the phone – and share the six-digit code with journalists as they try to log in to share breaking news stories.
It’s a complex problem to fix, and for that reason many media organisations may choose not to enable Twitter’s additional security at this time.
Of course, *another* solution would be to have an intermediary service, acting as a proxy, to which journalists could post their Twitter updates (using appropriate authentication) and then have *that* service feed the official Twitter account.
If you take that approach, just ensure that you have proper security systems in place for that proxy service – to keep out hackers and mischief-makers.
Corporations with “shared accounts” on Twitter would be wise to keep their defences updated, educate their staff on security and best practice, and learn the lessons of how Twitter accounts have been hacked in the past.
If you do enable Twitter two-factor authentication, whether you are Joe Public or a multinational corporation, realise that the technology isn’t going to help if you have users who are easily phished.
Determined online criminals could use “man-in-the-middle” techniques to grab the six digit passcode alongside your password and username if they are determined.
So, even if you do turn on Twitter’s 2FA, you still need to double-check that when you enter your username and password, or your six digit code, that you are *really* on Twitter’s https website.
Otherwise, the crooks can just use all three items to log in as you…
In time, Twitter will surely mature and offer appropriate security, and mechanisms which recognise how many corporate brands and news organisations are using Twitter today.
Maybe they will one day adopt a system like Facebook has, where multiple users can have access to an account – all with different levels of authority, all with different usernames and passwords.
Right now Twitter’s 2FA is more likely to be welcomed by individuals who own personal accounts, and small companies with a Twitter presence, than embraced by the high profile victims attacked by the Syrian Electronic Army in the past.
6 comments on “Why Twitter’s two-factor authentication isn’t going to stop media organisations from being hacked”
Wish they'd offer Google Authenticator as well (or do what Facebook does and build your own token system into the mobile app). I'm sick of giving companies my phone number.
Why not just have one phone in a central location that all the staff can access (locked drawer idea)? If they had a single token (i.e. RSA) they would have to do the same thing.
Because often staff aren't in a central building. They're in the field, or working from home, etc.
Seems like it would be easy enough to implement in a corporate environment if they really wanted — all you need is for the phone number that receives the code to forward it to accounts that have access. Annoying, yes, but doable if the number of tweets is modest.
It's nuts that they actually require you to receive the code via SMS since those out of cell range but with network connections would not be able to tweet unless they have wifi calling. Apps like Google Authenticator are much better in that they can be used on multiple phones and do not require cell reception.
Twitter do have a system in which users can tweet from their own accounts on behalf of the company account. However for over a year it appears to be in a closed beta.
See the API for hints about contributors https://dev.twitter.com/docs/api/1.1/get/statuses…
Didn’t work. See google’s announcement today.