Twitter is reportedly going to add a two-factor authentication option to its login process in an attempt to fend off hacking attacks.
News reports state that Twitter is going to use a 2FA system, like Google employs for its Gmail e-mail system. This system requires users to reauthenticate whenever logging in from a new device or internet address, even when knowing the account’s correct password.
“The introduction of two-factor authentication for Twitter users will be a much welcomed security improvement. It will help them reduce the number of hijacked accounts – something that is all too frequently reported when a high profile celebrity’s account is compromised,” says Ian Shaw, managing director of MWR InfoSecurity, a U.K.-based security consultancy.
In the 2FA system, the user has to provide the site with a mobile phone number. Whenever someone–including the user himself – attempts to log in through a new device or from a new internet address, the system will block access until the user inputs the correct password and a numerical code that’s sent to the account holder’s mobile phone.
Although this strengthens the authentication process, it’s not exactly multi-factor authentication. “If Twitter chooses a route similar to Google then it is not true two-factor authentication,” says Shaw, noting that Google calls its process “two-step verification.”
“It does require you to have a separate device but unlike other implementations of two-factor authentication the device receives a code rather than generating it independently. Therefore there is the potential for this code to be intercepted or the user being tricked into registering an attackers device to receive the code. Two-factor authentication will usually only protect the initial login to the site, therefore if users are connected for long periods of time, their logged in session could still be open to attack. To reduce this risk, two-factor authentication is often implemented with a timeout configured so that users are required to login at regular intervals to revalidate their identity. However, this timeout can be very unpopular with users and therefore may not be implemented by Twitter,” says Shaw.
This news comes several days after Twitter experienced an attack that forced them to reset passwords on at least 250,000 accounts because hackers had been able to access users’ e-mail addresses and encrypted passwords.
However, Shaw states that even extra security measures could not have prevented this attack. “The introduction of two-factor authentication will not help Twitter protect against the type of attacks seen last week where 250,000 users details were compromised. Their personal information and password will still have been compromised and while the usefulness of this information would be limited for users who choose two-factor authentication, they could still be exposed if they have used the same password on other websites.”
Twitter is reportedly working on beefing up its security, as it has a job opening for a software engineer that would focus on developing security features for the site.