Twitter 'rolling out two-factor authentication soon'

Summary:Twitter two-factor authentication could be here sooner rather later with internal tests thought to be already underway.

Twitter is reportedly testing a two-factor authentication system that it hopes to roll out to users shortly.

Two-factor authentication could offer some defence against high-profile Twitter accounts being hacked, and follows in the wake of recent incidents where the accounts of CBS's 60 Minutes and Associated Press were stolen and, in the latter case, used to claim that US President Barack Obama been injured in an explosion at the White House. The false alarm briefly sent the Dow Jones falling by around 140 points. 

Now Twitter is internally testing a two-factor or multi-factor authentication, according to Wired, with a view to putting it into users' hands before too long. Such a system typically requires the user to enter their username and password, as well as prove their identity through another factor, such as inputting a one-time password sent to their mobile device or ID key.

Twitter reset over 250,000 passwords to user accounts in early February after noticing unusual access patterns and recently posted a job vacancy for a security engineer to develop user-facing multi-factor authentication.

Other companies that have already introduced multi-factor authentication in the past few years include Google, Facebook, Yahoo, Amazon Web Services, Dropbox, Blizzard's Battle.Net, and Valve's Steam.

Microsoft last week also began rolling out two-factor authentication that operates similarly to Google's system, and issues one time codes by text message or, in instances where the user is not connected to a network, a code is generated by a smartphone app called Microsoft Authenticator.

The app supports a standard protocol — thought to be RFC 6238, according to Ars Technica — and means that Google's 'Google Authenticator' can also be used to generate that code for Microsoft's two-factor system. Dropbox's two-factor authentication also supports the standard. 

One problem raised by Wired with two-factor authentication in the case of Twitter is how to deliver one-time passwords to accounts that have multiple users accessing that account through a variety of applications.

Google's two-factor system does have a way of handling this through the use of "application-specific passwords", which, on accounts where two-factor is enabled, allows users to establish a network of trusted devices.

An application signed with the password allows a user to establish ongoing access between Gmail and an email client like Outlook or Apple's Mail without requiring a new code every time.

Google's video explaining how that works is here

Topics: Security, Social Enterprise


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.