Twitter Learns How to Do the 2-Step
Twitter may have resisted employing stronger security since the whole point of the microblogging service is to facilitate fast and easy communications. If that was its rationale, the company must have quickly rethought its security policies after hackers hijacked the AP's account. Their fake tweets sent the U.S. stock market into a nosedive, spurring Twitter to try a new security dance.
May 23, 2013 4:22 PM PT
Twitter has announced it is deploying a long-awaited security measure: two-factor verification. The move comes about a month after The Associated Press' Twitter account was hacked.
Users can activate the new security by accessing their account settings and opting to have a verification code sent to a smartphone. Upon logging in to Twitter, they must then type in a six-digit code.
Twitter is late to the game with this security tactic. A number of companies, including Google and Dropbox, already feature it. However, the company must have scrambled to get it in place after hackers sent the stock market reeling last month.
After gaining control of the AP's Twitter account, the hackers falsely reported that the White House had been bombed and that President Obama had been injured in the attack. That episode followed a number of other high-profile media hacks.
Beyond Password Security
The two-factor verification measure is applauded by the security industry because, at the bare minimum, it goes beyond password protection.
"Two-step authentication will certainly be better than one," Steve Durbin, global vice president of the Information Security Forum, told TechNewsWorld.
"The use of text messaging is also a good way to go since there is a higher chance that the genuine user will have access to their phone and so they will be the true recipient of the authentication code," he continued.
"The one-time log-in also precludes theft of the code being used over and over," Durbin pointed out, "so from a security perspective, this is obviously an enhancement that should go some way to preserving the integrity of the system and access to Twitter accounts."
Is It Too Cumbersome?
Opinions appear to be trending high that the two-factor method may be too cumbersome for Twitter users, impeding the site's easy accessibility.
For example, it is unclear whether Twitter will require it at every login, Grace Zeng, research analyst at SilverSky, told TechNewsWorld.
"If it is the case, it seems a bit costly, because SMS messages are not free of charge and the cost can add up quickly -- this may discourage many users from using it," she said.
Even if this two-factor authentication is only required once for every single machine or device, it would still be nice to provide SMS alternatives such as email or voice call for the second step authentication," Zeng suggested.
Users of group accounts may also find the method cumbersome.
The Accessibility of Social Media
That's the rub, though: Social media is supposed to be accessible and easy to use -- that's one reason it is so popular.
That very accessibility -- not to mention social media's numbers -- is what draws attackers in the first place, AlienVault CEO and President Barmak Meftah told TechNewsWorld.
"Social networking sites offer a big attack surface because of the massive numbers of users they have, making them incredibly appealing to hackers," he explained. "If a hacker can breach a social site, they can potentially do a lot of harm, causing both financial damage as well as damage to the reputation of the social network's site and business."
Still, Twitter is doing a good job of staying ahead of these trends, Meftah maintained.
"They've made some good moves in the areas of malware, botnet and threat detection by acquiring malware products and companies, and taking internal measures to strengthen their security posture," he noted.
"With the advent of this two-factor verification process," Meftah said, "Twitter is now taking steps towards further strengthening and fortifying access points, so that they can ensure the end-user accessing their site is authentic, and that their site is authentic to the end-user."