Twitter has finally implemented a two-factor authentication system following an embarrassing hack of the Associated Press’ Twitter account that briefly sent financial markets into turmoil.
The ease in which hackers compromised the AP account came as no surprise as many Twitter accounts are regularly hacked due to weak passwords and a relatively lax security system that allows applications to post tweets without reconfirming credentials. Often a victim just needs to click on a link to give hackers full posting access to an account.
Last week Twitter took its first steps to making accounts more secure by turning on an optional two factor authentication system. Two factor authentication involves securing accounts with a username and password as well as requiring the user to enter a code that is sent to a mobile phone once the password is correctly entered. Because it is tied to a single mobile device that is presumably in the user’s physical control, a hacker will have a difficult time entering the account with just the username and password alone.
The system is not as robust as Google’s two factor system that we reviewed last fall, but Twitter’s new system does make significant progress towards making the popular social networking service more secure.
When implemented, Twitter’s system requires the mobile device code for logging in through their website, but also for authorizing new applications to post on the service. The user will need to go to Twitter’s website (after verifying their credentials with the two factor system) and generate a special password to authorize the application. While adding an additional burden for users, it does make the account significantly more secure given a mobile device must be in possession of the user. It’s great for accounts where multiple users have access to posting, as only the account administrator can authorize new applications.
The system is not without its flaws, as security researchers point out. A skilled hacker who is determined to take over a specific user’s account can figure out a way to circumvent the system using SMS spoofing (provided they know the mobile number of the account holder). But most users are not specifically targeted and often find themselves compromised after clicking links randomly sent to their account.
The new security layers are an optional feature and must be implemented on each account. Twitter only allows one mobile phone per account, so those managing multiple accounts will need to come up with an alternative phone numbers for each account they control. One solution is to use a Google Voice account as a phone number.
Click here to watch a larger screen version of our how-to video.