As much as we’ve ragged on Twitter’s inept security strategy, we have to hand it to Twitter this time around. As terrible as Twitter’s first attempt at two-factor authentication was, this second go at a security upgrade is a huge improvement – here’s why.
Out with the old, in with the new
How is the new version any different from the old? In many ways the latest two-factor authentication system is far more secure (although that doesn’t mean it’s fool-proof). Previously, users were stuck with an authentication process that involved phone numbers, SMS notifications, and typing a confirmation code into Twitter.com. The process was panned as clunky and unreliable. In fact, SMS verifications aren’t difficult to bypass: All it takes is a replica of Twitter’s webpage and hint of trickery to dupe users into typing in their account info, passwords, and verification codes on the fake Twitter site.
So here’s how the new process works: When you sign into Twitter.com with your username and password, its servers will push a verification request to your mobile phone to validate the log-in attempt. All you have to do is to verify (or reject) the log-in request on either Twitter’s iOS or Android app. And to give you further peace of mind, Twitter logs and informs you about the location, the time, and the browser that you appear to be logging in from.
Toopher CEO Josh Alexander, who has been very vocal about social security systems, is giving Twitter one thumb up – he’s saving the other thumb for when Twitter fixes the two-factor authentication bugs and offers the same support for accounts with multiple users.
“What Twitter did with its new two step authentication solution is historic. Yes, a small handful of companies have developed similar or better technology over the past couple of years. And while some enterprises and universities have begun adopting these technologies internally, we have not yet seen consumer-facing security that simultaneously increases both usability and security,” says Alexander.
The mechanics of the authentication process itself has its complexities, like the fact that the private asymmetric 2048-bit RSA keypair that’s stored locally on your phone sends an encrypted public key to Twitter’s servers. The point of this is to prevent snooping. What this means is that after you’ve verified that it was you who signed in, if the key that’s sent from your phone to Twitter was intercepted, the public key would not only be encrypted but wouldn’t be one in the same as the private key so hackers couldn’t use it to hack your account.
A good effort, but will users adopt the new system?
“This is harder to crack,” says Alexander when asked about how secure he finds the new system. “But it’s not safe enough to keep our concerns at bay.” He isn’t concerned about accounts being hacked, so much as he’s more concerned that Twitter users will mind the tedium of verifying a login through an out-of-band authentication (like using a smartphone to verify a login from a desktop).
“Despite the improvement to both usability and security, Twitter’s new solution doesn’t cross the usability threshold that would allow for mass adoption,” Alexander explains. He estimates that Twitter will face the normal “legacy” two step adoption rate, meaning that just between 0.5 percent and 2 percent of users will bother to add this two-factor authentication method. “This is because this solution still requires significant friction and change to normal user behavior – which means user experience is impaired.” And the point of the system is not only to improve security for its users, but to also get people to use two-factor authentication in the first place. After all, what’s the use in releasing a product that no one would use anyway?
Even Alexander doesn’t deny that Twitter’s solution is far superior and admittedly a step in the right direction. “There is still more work to be done – this a great first step away from one time passwords via text message, and Twitter knows this is only the beginning.”
You’ll find bugs, but fortunately Twitter isn’t settling
Two-factor authentication is a work in progress, says Twitter security engineer Alex Smolen, and some users are already finding the early glitches. After opting into two-factor authentication, L.A. Times reporter, Paresh Dave, reported on Twitter’s fatal flaw – namely not receiving login requests on his smartphone and being locked out of his account. And he’s not the only one who’s encountered this problem.
But regardless of how many users actually bother to opt into two-factor authentication, and issues that might plague the feature straight out of beta, thankfully Twitter isn’t settling. “We’ll continue to make improvements so signing in to Twitter is even easier and more secure,” says Smolen. We expect the bugs and kinks to get ironed out over the coming weeks. Better yet, Twitter says a system for users who log into multiple accounts is on the way.
And since third-party Twitter clients are just about everywhere on the Web, a verification API makes sense, as Smolen announced. This would let users log into a third-party Twitter client with Twitter’s new style of authentication without the hassle of the old school method requiring users to input a generated temporary password.
While Twitter’s authentication process may neither win over every user, nor the majority for that matter, what its security team has accomplished is massively upping the ante. ‘[Twitter is helping] set a precedent for the online community demonstrating that one-time passwords via text message are no longer acceptable.”