Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Twitter introduces another way for you to better secure your account

28 Jun 2018 0 Google, Privacy, Social networks, Twitter

Post navigation

Previous: WPA3 is here but how will it make Wi-Fi more secure?
Next: US legislators put industrial control system security on the map
by John E Dunn

Twitter has added the ability to authenticate to the service using hardware tokens such as Yubico’s YubiKey.

Announced towards the end of a blog on the company’s efforts to deter spam and malicious bots, it marks a convenient step up in security for Twitter users who might already be using this type of security with other services.

The company introduced SMS-based Login Verification almost five years ago, but since then, it’s been slow to move with the times. What’s more, it’s been accepted for some time that SMS authentication is less than secure in number of different ways – it is vulnerable via the mobile app, through attacking the network, or through SIM swap fraud.

Six months ago, some time after this feature was enabled by other internet brands such as Google and Facebook, Login Verification became possible on Twitter through the use of third-party apps such as Google Authenticator, Duo Mobile, or Authy.

That has now been extended to FIDO Universal 2nd Factor (U2F) security keys. Using one makes it much harder to hack an account even when an attacker has got hold of the username and password because they also require physical possession of the token too.

You’ll find the Twitter setting to turn this on by visiting Settings and privacy > Account > Review your login verification methods > Login Verification.

OTHERS STOP AT NOTIFICATION. WE TAKE ACTION
Get 24/7 managed threat hunting, detection, and response delivered by Sophos experts
Learn more

When we tried this on an account on without any method of verification in place, it asked us to enable SMS verification to the registered mobile number first, after confirming our password. With that step complete, the options to use an authentication app or enrol a token appeared.

This is an authentication check on the act of setting even stronger authentication, presumably to avoid attackers breaking into accounts and locking people out completely.

It’s worth saving a backup code to guard against the possibility of losing the key or not having access to the mobile authenticator app. You can print out a list of codes for safe keeping. Also, note that enabling Login Verification will require using a one-off temporary password on other desktop computers or apps – your usual username and password won’t work.

Explains Twitter’s Login Verification guide:

For example, if you enabled login verification in your account settings on the web and need to login to the Twitter for Mac app, you will need to use a temporary password to do so.

I set up authentication through Chrome without any problems, however the U2F key enrolment refused to complete on Firefox. I’m unsure why this happened (Firefox supports U2F authentication). I have sought clarification on this from Twitter – along with further detail on how mobile devices will support Twitter hardware authentication when those tokens lack NFC support. I will update this article if and when I hear back.

Twitter is also not forthcoming about how many of its users have bothered to turn authentication on in any form. If Google is anything to go by, very few.

That’s a huge shame. Authentication is an excellent, cheap security upgrade that everyone should use.


  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: WPA3 is here but how will it make Wi-Fi more secure?
Next: US legislators put industrial control system security on the map

What do you think? Cancel reply

Recommended reads

Jul01
by Paul Ducklin
4

“Missing Cryptoqueen” hits the FBI’s Ten Most Wanted list

Jul21
by Paul Ducklin
2

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Jul08
by Paul Ducklin
0

Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2022 Sophos Ltd. All rights reserved. Powered by WordPress VIP