Twitter has been plagued by high profile account hacks in recent months – especially those by the Syrian Electronic Army (SEA) hacking group trying to promote its pro-Syrian government position. The problem is that Twitter has relied on password-protected access to accounts; and passwords are easily lost, stolen or guessed. Yesterday Twitter responded and tweeted: “Make your Twitter account more secure with login verification, in 4 easy steps...” It pointed to an official blog entry that announced and described its new 2FA process.
Like many such systems, it requires an SMS-capable separate phone. Users who adopt the process must register the phone with Twitter. Once activated, account access requires an additional six-digit code that is sent out-of-band to the mobile phone.
As with all security issues, however, it is important to remember that just because it uses 2FA, that doesn’t mean it’s secure. Man-in-the-browser malware can steal authentication codes. This means that attacks against high profile accounts may be more difficult, but no less possible. And for the man in the street, if the attacker knows the user password and has access to the phone, then consider the account hacked.
There is also a built-in weakness to the system. Many users simply won’t bother with 2FA – it gets in the way of ease-of-use, and requires that the user always has his or her phone to hand in order to use Twitter. That, however, is a personal choice that cannot be blamed on Twitter. The accounts that are most likely to adopt the process are those that have been targeted by SEA: high profile business accounts with a large number of followers. The problem here is that such accounts often have multiple account users to maintain a steady stream of tweets covering the whole business. And this is the weakness: Twitter’s 2FA allows only one phone per account.
Since this simply doesn’t fit in with the business process of larger organizations, those companies with the most need for 2FA will be those companies – for the time-being – least able to adopt it. It may be that Twitter has longer term plans to solve this issue: an umbrella company account that automatically follows multiple individual associated accounts that each need their own SMS authentication, for example. It may be that Twitter rushed out its 2FA earlier than intended because of all the high profile hacks.
Certainly it knows that this can only be the start of improved security, and effectively owns to that in its blog: “much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned.” Meantime, 2FA is a good start: a security offering that puts the onus back on the user.