Twitter Introduces Two-Factor Authentication To Help Thwart Phishing

Forum Moderators: not2easy & rumbas

Message Too Old, No Replies

Twitter Introduces Two-Factor Authentication To Help Thwart Phishing

engine

2:00 pm on May 23, 2013 (gmt 0)

If you're like me, logging off and on, it's going to become a pain, but, I imagine more painful if the account is hijacked.

According to Twitter, there are more security enhancements to follow.

This is a form of two-factor authentication. When you sign in to twitter.com, there’s a second check to make sure it’s really you. You’ll be asked to register a verified phone number and a confirmed email address. Twitter Introduces Two-Factor Authentication To Help Thwart Phishing [blog.twitter.com]

With login verification enabled, your existing applications will continue to work without disruption. If you need to sign in to your Twitter account on other devices or apps, visit your applications page to generate a temporary password to log in and authorize that application.

This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers).

bill

10:32 pm on May 23, 2013 (gmt 0)

I maintain a lot of Twitter accounts...some of which need to be accessed by multiple people. Although I'm a huge fan of multi-factor authentication I'm not sure I'm too happy with this setup. The busiest accounts are maintained/monitored by several people, and those are the accounts that can't take advantage of this scheme.

It would have been preferable if they could have used a software key generator, like Google Authenticator, to implement this.

lucy24

1:19 am on May 24, 2013 (gmt 0)

Temporary password?! Isn't the whole point of multi-factor authentication that if you do need to jump through extra hoops, they're hoops that you have already designed yourself? These days probably something more specialized than the once-popular "mother's maiden name" ... which may well be your own current name.

This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers).

And, er, not to belabor the obvious, but it will definitely not work on any non-cellular telephones.

bill

1:37 am on May 24, 2013 (gmt 0)

Perhaps you're not clear on multi-factor authentication? It's not a question of adding your own security questions. In addition to a password you have a token of some sort that you always have with you, like a USB key, a security dongle, or in this case your mobile phone.

They screwed this up for me because Twitter has never supported my phone's SMS system in Japan, so I'm unable to use this even if I wanted to. That's why it would have been better for me if they had used a software key generator.

ken_b

2:50 am on May 24, 2013 (gmt 0)

I read the post in the link above.

I can't really tell if this is optional or mandatory.

Anyone know which it is?

lucy24

4:23 am on May 24, 2013 (gmt 0)

In my neck of the woods, "multi-factor" technically means it goes both ways. You do stuff to convince them that you're you-- but they also have to do something to convince you that they're really your bank and not some passing hacker.

If it's hardware-dependent, then it's beyond authentication and into the bland assumption that every individual human has their own dedicated internet-access device, shared with nobody else. Which, come to think of it, is the advertisers' target audience anyway.

bill

7:28 am on May 24, 2013 (gmt 0)

I can't really tell if this is optional or mandatory.

It's an option you have to turn on in your settings.
It had better be optional because they don't support my mobile carrier. ;-p

In my neck of the woods, "multi-factor" technically means it goes both ways

What you're describing sounds like "mutual" authentication.

According to Wikipedia, "Multi-factor authentication (also Two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")."

System

8:01 am on Jun 5, 2013 (gmt 0)

redhat

The following 3 messages were cut out to new thread by engine. New thread at: twitter/4581312.htm [webmasterworld.com]
3:18 pm on Jun 5, 2013 (utc +1)