Twitter has been the target of a number of high-profile breaches lately. These breaches have been a good example of brands and reputations take a ding when a breach occurs. And, with a site like Twitter, where people are turning for breaking news alerts, a breached account can also cause a national panic and false news reports, as we discovered when a breached AP account “reported” a bombing at the White House.
Granted, the AP Twitter hack and many other Twitter hacks are coming from the user end (the AP hack was the result of a phishing scheme, for example), but none of these hacks makes Twitter look like it takes security seriously. Now, Twitter has announced a change in its security. The social media site revealed that it is offering two-factor authentication (2FA) for its users. According to Twitter’s blog post, users will be asked to supply a phone number, and a six-digit number will be texted to users to verify the login. The final paragraph of the blog post reminds users to use a strong password.
It sounds like a step in the right direction, and anyone who reads my blog regularly knows that I am a proponent of 2FA or any authentication that improves on the simple password/user name combination. However, Twitter’s new 2FA security has a lot of skeptics in the security world, and some of the skepticism makes a lot of sense. For example, the Sophos Naked Security blog stated:
Media organisations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts.
2FA isn't going to help these companies, because they can't all access the same phone at the same time.
Good point. The 2FA option is good for someone who is the sole user of an account, but it ignores that many companies, not just media, have multiple people handling their social media under one account. In fact, I have friends who are part of a social media team, and since team members are spread across the country, they can’t just hand over the phone when the shift is done.
Twitter also uses SMS as a way to send and receive Tweets (making use of SMS for double-duty: social and security). It's possible to "STOP" incoming Tweets via SMS, and that makes sense, because people sometimes end up roaming unexpectedly — and there needs to be a way to stop the SMS feature. Otherwise it could generate a costly bill.
F-Secure also showed that there are no confirmation codes needed when adding the phone number, making it easy for a hacker, an angry employee, or anyone else to take over the account and lock out the actual owner.
Again, another good point. However, what none of the security experts included was an alternate solution. No, this 2FA isn’t perfect. It has a lot of logistical flaws that need to be addressed, especially for those who use Twitter within the enterprise space. But it is something, and that’s more than we had a week ago.