Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Twitter Adds Two-Factor Authentication

Twitter has joined the club of major Web services that let you set a higher level of security for accessing an account. PayPal, Apple, Dropbox, Google, Facebook, and several others now offer such a feature, which makes it significantly more difficult for a cracker, vandal, or jilted partner to break into an account and examine your private affairs or post in your name. An account can still be taken over, but doing so typically requires physical access to a computer, mobile phone, or digital key fob. (See “Apple Implements Two-Factor Authentication for Apple IDs,” 21 March 2013.)

A number of high-profile Twitter accounts have been hijacked recently, causing embarrassment and worse — as in the case of a bogus AP wire service tweet that said the White House had been bombed and President Obama injured. But Twitter account hijacks are extremely common even for average users, especially those with interesting handles — it was the root cause of the infamous hacking of Wired writer Mat Honan (we discussed this, and what you can do to prevent it, in “Watch TidBITS Presents “Protecting Your Digital Life”,” 22 August 2012). Typical attacks rely on weaknesses at email accounts used for backup. One friend of mine had his four-letter handle stolen because of a flaw in Gmail account recovery. (Twitter’s Safety & Security department got it back for him.)

Twitter’s two-factor login verification requires both a phone number and email address that must be verified through their system. Twitter uses SMS thereafter to send you a six-digit code that you enter to confirm a valid login. You will also need to generate temporary passwords to log in to Twitter on other devices.

I found that I first had to link my phone number to Twitter. Go to the Twitter Mobile settings page, and if your phone isn’t shown, you have to enter it and then send a text message to Twitter (it doesn’t automatically send a code to you). Send the text GO to 40404 to verify your number. The next important step is unchecking all of the Twitter SMS notification options beneath your verified number! I, for one, want none of those. Click Save Changes when you’re done.

Now you can click Account in the settings list on the left, scroll down, and select Require a Verification Code When I Sign In. A pop-up alert confirms that you’ll get a test message sent to your phone: click Okay, Send Me a Message. If the SMS comes through, click Yes. Finally, enter your password again when prompted. You may still back out at this stage by clicking Cancel; otherwise, click Save Changes.

It’s unfortunate that SMS is the only method Twitter uses for two-factor authentication; many firms now rely on a third-party token generation app like Google Authenticator or Duo Mobile, both free. (I now have six two-factor logins managed through Google Authenticator, and have a short-duration screen-lock set on my iPhone.) Apple makes use of its own special conduit to iOS devices through the Find My iPhone service. But Twitter says more security enhancements will follow, and I expect tying in with existing authentication options (especially in corporations) will be part of that.


Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <>

Comments about Twitter Adds Two-Factor Authentication
(Comments are closed.)

ccstone  An apple icon for a TidBITS Contributor 2013-05-22 14:53
Just about the last organization on earth I want to give my phone number to is Twitter - except maybe Facebook.

Besides that I don't get text on my cell. I won't pay the overage.

Maybe when I finally break down and get an iPhone.

B.S. -- typically Twitter.

Joseph Yarbrough  2013-05-23 08:45
An additional issue here is that you can only connect one Twitter account to a given phone number. Many of us have multiple accounts. Or in the case of a corporation, what's the one mobile number that account will be tied to? I guess that latter problem also applies to the Google Authenticator app.
Dan Daranciang  An apple icon for a TidBITS Contributor 2013-05-23 16:15
In place of Google Authenticator, I favor Duo Mobile. It's prettier, it's free, and it still works with any site that uses time-based code generation (Google, Dropbox...)
Glenn Fleishman  An apple icon for a TidBITS Staffer 2013-05-23 16:32
Excellent advice! I also have it installed, and I didn't think to pull it up. I'll amend the article.