It seems clear that the earlier SMS-based system was a stop-gap brought out under pressure of the increasing number of account hacks and especially the high-profile hacks from the Syrian Electronic Army (SEA).
This was relatively easy to implement relatively quickly; but while welcomed by the security industry as better than nothing, it was also widely criticized. Firstly, it did not offer universal coverage – some phone carriers could not be included. Secondly, SMS-based 2FA can still be compromised and is susceptible to SMS delivery channel and server compromises. Thirdly, since it was based on the user's mobile phone number, it could not be used where single accounts are shared by multiple users – which precisely include the high-profile accounts beloved by the SEA.
What nobody knew at the time was that Twitter was aware of these weaknesses and working on a more advanced 2FA system to solve them. The company has now launched its new app-based authentication process.
The new app-based system is certainly more secure. It uses a private key held in the app coupled with a public key held by Twitter. The private key never leaves the user. A back-up access code can also be used if the app isn't available. This involves a 64-bit random seed hashed 9,999 times so that even if the server gets compromised the log-on code cannot be discovered. But still it is not without its critics.
"This new app-based approach is definitely preferable to the first version," comments Jamie Cowper, senior director of Nok Nok Labs. But, he adds, "I believe coverage will suffer as a result of this new approach." It will work for enterprise users since multiple devices can be logged into the same account, but "that presupposes that all of the users have an iOS or Android device."
Thomas Pederson, CEO of OneLogin, takes a similar 'usability' view in a guest blog on USA Today. "The problem for enterprises," he writes, "is that relying on multi-factor authentication enforcement at the application level gets annoying very quickly for users. Controlling who has access to specific applications and corresponding data is a complicated exercise, especially with applications running in the Internet cloud."
Authy, another authentication firm, highlights potential problems drawn from its own experience – it had experimented with a similar system last year, but decided not to proceed. "The first flaw is that it only works when the phone is 'online.' Although smartphones are 'most' of the time online, once you really track this, you discover that is not as true as you think." Traveling, no data plan, loss of reception, or just plain turned off are examples. "If you design a Two-Factor solution that only works when people are online, they'll soon start bumping into issues and will disable it."
But the biggest problem is that it decouples authentication from location. While this may seem like an advantage (it allows the user to remotely authenticate a co-worker), the data provided by Twitter to confirm the identity of the co-worker is easy to spoof. "If the attacker is familiar with the user," says Authy, "he can easily select 'good' values to further trick the user into authorizing the request."
It should be noted that all of these criticisms come from competitive authentication systems – but that in itself does not invalidate them. The biggest single problem with authentication systems is not in the technology used, but designing something that people will actually use. On paper, the new Twitter app-based authentication system appears to be both secure and easy. But only time will tell whether it is adopted by users, and how well it stands up to new methods of attack.