2

The news that, following a number of pretty high-profile password compromise cases, Twitter is adopting a two-factor authentication for account access is to be welcomed. 2FA, as it is known, applies the better security concept of something you know combined with something you own into the access equation. The thing you know is your password, and the thing you own is your mobile phone.

Here's how it works, once 2FA has been enabled and you try to log into Twitter from a 'new' device a code will be sent by SMS to the mobile phone which you have registered with the service when setting up the two-factor security. This code has to be entered for access from the device to be granted, even if you have the correct password. Without the one, the other will fail. Twitter follows the likes of Dropbox, Facebook, Gmail and iCloud in making 2FA available in order to protect users from the compromised password threat.

However, one security expert warns that 2FA is not a security panacea. David Emm, Senior Security Researcher at Kaspersky Lab, agrees that two-factor authentication will make it harder for accounts to be hijacked but points out that there are still some potential pitfalls with the new approach.

"Twitter’s use of two-factor authentication should be welcomed with open arms. Two- factor authentication makes it difficult for someone to hijack an account, by adding another method of validation. To-date a static password has been the only thing securing Twitter accounts, and all to often these are easy to guess" Emm says, continuing "It’s easy to see why Twitter has chosen to use SMS as the second authentication method. Nearly everyone today has a mobile phone, so this method doesn’t require people to carry around an extra token or device that generates the one-time passcode. Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers."

And now for the inevitable 'however' that follows all that:

“However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn’t require login credentials to be entered each time" Emm stated, adding "this means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication."

We should also bear in mind that it's entirely possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code. This is also something that Emm warns users about, noting that Kaspersky has already seen similar malware designed to steal mTAN numbers for banking transactions.

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

4
Contributors
5
Replies
34
Views
4 Years
Discussion Span
Last Post by analyzea
0

Wouldn't people who really care about security have ridiculously difficult-to-crack passwords in the first place? If you have a lame one, then surely it's a Darwinian thing and 'twits' (users of Twitter?) deserve to get chirped. perhaps that's being harsh, but who's responsibility is it to ensure that passwords can't be guessed? Or is there something more to this as it actually being the fault of Twitter?

Edited by diafol

0

You'd think... However, there are a lot of variables in the 'how strong is your password' equation when a login database gets breached and is available offline for probing - not least the matter of whther the hashes are salted for example.

0

I understand that. So Twitter's db was breached and they hadn't salted their hash? Or they resorted to md5? I'm just wondering about why Twitter decided to do this. Is it due to user's inability to create a good pw or down to Twitter's mistakes/naïvety? If the former, then I think that's awful. You can't keep making life difficult for the vast majority when a handful of vociferous numbnuts keep messing up. As we know empty vessels make most noise. If the latter, surely there's a better way? Are the mobile numbers stored?

0

“However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn’t require login credentials to be entered each time" Emm stated, adding "this means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication."

I don't have twitter but I think this has be the first step against identity theft.

We should also bear in mind that it's entirely possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code. This is also something that Emm warns users about, noting that Kaspersky has already seen similar malware designed to steal mTAN numbers for banking transactions.

I agree. This getting sophisticated. There has to be short-term solution.

You can't keep making life difficult for the vast majority when a handful of vociferous numbnuts keep messing up. As we know empty vessels make most noise. If the latter, surely there's a better way? Are the mobile numbers stored?

You mean people getting careless? That's really hard to prevent that.

0

You can makeyour password somuch strog so that it is not braekable then your account is safe just use tricky kind of password.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.