With a number of high-profile Twitter accounts recently falling victim to attack— a list that includes the The Associated Press, Financial Times, Jeep, The Onion and Burger King— the folks at Twitter have decided to institute two-factor authentication on the popular social media site.
As reported by the New York Times, Twitter’s new two-factor authentication will send users a second, one-time login code via text message making it more difficult for hackers to compromise an account with multiple passwords. Two-factor authentication is not a new solution as Microsoft, Apple, Facebook and Google have been employing two-factor authentication for some time now.
What’s puzzling with Twitter’s move to two-factor authentication, then, is why the decision wasn’t made sooner.
A Twitter representative revealed that the rollout was delayed because the company had to first update its SMS architecture, a renovation that would also require Twitter users to update their account settings and register their phone numbers.
Twitter accounts for highly trafficked brands and media outlets are routinely run by multiple employees, but under the new authentication method only one employee would receive the log-in code. In such circumstances, other employees would only be able to access the account from certain devices, or would have to get the one-time code from the account administrator.
While two-factor authentication is a step in the right direction, it’s not impenetrable.
The possibility remains for hackers to compromise a user’s account by impersonating Twitter in what is otherwise known as a man-in-the-middle attack. Such attacks occur when an hacker intercepts a message in a public key exchange — like the sending of a six-digit code from Twitter to a user — retransmits the message and substitutes the attacker’s own public key giving the impression that the two original parties are still communicating with one other.
While this type of attack remains a possibility, the Twitter’s addition of two-factor authentication will still make hacking its accounts significantly more difficult.