The news that, following a number of pretty high-profile password compromise cases, Twitter is adopting a two-factor authentication for account access is to be welcomed. 2FA, as it is known, applies the better security concept of something you know combined with something you own into the access equation. The thing you know is your password, and the thing you own is your mobile phone.
Here's how it works, once 2FA has been enabled and you try to log into Twitter from a 'new' device a code will be sent by SMS to the mobile phone which you have registered with the service when setting up the two-factor security. This code has to be entered for access from the device to be granted, even if you have the correct password. Without the one, the other will fail. Twitter follows the likes of Dropbox, Facebook, Gmail and iCloud in making 2FA available in order to protect users from the compromised password threat.
However, one security expert warns that 2FA is not a security panacea. David Emm, Senior Security Researcher at Kaspersky Lab, agrees that two-factor authentication will make it harder for accounts to be hijacked but points out that there are still some potential pitfalls with the new approach.
"Twitter’s use of two-factor authentication should be welcomed with open arms. Two- factor authentication makes it difficult for someone to hijack an account, by adding another method of validation. To-date a static password has been the only thing securing Twitter accounts, and all to often these are easy to guess" Emm says, continuing "It’s easy to see why Twitter has chosen to use SMS as the second authentication method. Nearly everyone today has a mobile phone, so this method doesn’t require people to carry around an extra token or device that generates the one-time passcode. Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers."
And now for the inevitable 'however' that follows all that:
“However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn’t require login credentials to be entered each time" Emm stated, adding "this means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication."
We should also bear in mind that it's entirely possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code. This is also something that Emm warns users about, noting that Kaspersky has already seen similar malware designed to steal mTAN numbers for banking transactions.