This article originally appeared in TidBITS on 2013-05-22 at 2:34 p.m.
The permanent URL for this article is:
Include images: Off

Twitter Adds Two-Factor Authentication

by Glenn Fleishman

Twitter has joined the club of major Web services that let you set a higher level of security for accessing an account. PayPal, Apple, Dropbox, Google, Facebook, and several others now offer such a feature, which makes it significantly more difficult for a cracker, vandal, or jilted partner to break into an account and examine your private affairs or post in your name. An account can still be taken over, but doing so typically requires physical access to a computer, mobile phone, or digital key fob. (See “Apple Implements Two-Factor Authentication for Apple IDs [1],” 21 March 2013.)

A number of high-profile Twitter accounts have been hijacked recently, causing embarrassment and worse — as in the case of a bogus AP wire service tweet that said the White House had been bombed [2] and President Obama injured. But Twitter account hijacks are extremely common even for average users, especially those with interesting handles — it was the root cause of the infamous hacking of Wired writer Mat Honan (we discussed this, and what you can do to prevent it, in “Watch TidBITS Presents “Protecting Your Digital Life” [3],” 22 August 2012). Typical attacks rely on weaknesses at email accounts used for backup. One friend of mine had his four-letter handle stolen because of a flaw in Gmail account recovery. (Twitter’s Safety & Security department got it back for him.)

Twitter’s two-factor login verification [4] requires both a phone number and email address that must be verified through their system. Twitter uses SMS thereafter to send you a six-digit code that you enter to confirm a valid login. You will also need to generate temporary passwords [5] to log in to Twitter on other devices.

I found that I first had to link my phone number to Twitter. Go to the Twitter Mobile settings page [6], and if your phone isn’t shown, you have to enter it and then send a text message to Twitter (it doesn’t automatically send a code to you). Send the text GO to 40404 to verify your number. The next important step is unchecking all of the Twitter SMS notification options beneath your verified number! I, for one, want none of those. Click Save Changes when you’re done.

[image link] [7]

Now you can click Account in the settings list on the left, scroll down, and select Require a Verification Code When I Sign In. A pop-up alert confirms that you’ll get a test message sent to your phone: click Okay, Send Me a Message. If the SMS comes through, click Yes. Finally, enter your password again when prompted. You may still back out at this stage by clicking Cancel; otherwise, click Save Changes.

It’s unfortunate that SMS is the only method Twitter uses for two-factor authentication; many firms now rely on a third-party token generation app like Google Authenticator [8] or Duo Mobile [9], both free. (I now have six two-factor logins managed through Google Authenticator, and have a short-duration screen-lock set on my iPhone.) Apple makes use of its own special conduit to iOS devices through the Find My iPhone service. But Twitter says more security enhancements will follow, and I expect tying in with existing authentication options (especially in corporations) will be part of that.