Twitter right to think 2-factor authentication a journey, not a destination

Micro-blogging site plans to continue to innovate around authentication use cases.
Written by John Fontana, Contributor

Twitter on Tuesday upgraded its first attempt at adding a two-factor authentication option to its service, but the real value is the fact that the social networking site realizes it can't stop there.

Twitter said it will continue to make improvements in securing authentication and filling in gaps; namely, providing better security for accounts shared by two or more users.

Shared accounts are typical for company-branded Twitter accounts. But two-factor authentication that uses a mobile phone as a second factor does not work for multi-user accounts, because the account is tied to a single user's phone.

Twitter is also looking at solving other specific use cases.

Twitter security engineer Alex Smolen wrote on Twitter's blog, "We'll continue to make improvements so signing in to Twitter is even easier and more secure. For example, we're working on building login verification into our clients and exposing a login verification API for other XAuth clients so people who don't have access to the web also have a seamless login experience."

However, Twitter's improvements, which are still in beta, are not without hiccups. A Los Angeles Times reporter wrote about being locked out of his account when he activated Twitter's new authentication upgrade. Other users have reported similar issues.

Twitter accelerated its two-factor authentication efforts after it was hacked in February and lost 250,000 user passwords.

In May, it rolled out a basic two-factor authentication that sends a code to a user's phone. The user must enter the code before being authenticated into their Twitter account. The authentication flow is similar to two-factor systems used by other service providers such as PayPal and Evernote.

On Tuesday, Twitter unveiled a new two-factor authentication option that is tied to the Twitter mobile application and includes a 2048-bit RSA keypair. The new method does not require the user to collect a code or input numbers, and it includes options for users who forget or lose their phones.

Despite all the technology engineering, Twitter and other two-factor authentication adopters also will need some social engineering.

Traditionally, two-factor authentication has not suffered at the hands of the technology, but from users who grow tired of the extra steps or lose hardware tokens that provide a second factor.

Gunnar Peterson, managing principal at Arctec Group told ZDNet in March that two-factor authentication is "an incremental win, and it is generally good that [this interest in two-factor authentication] is happening". But he added that "initial authentication needs to get stronger".

Editorial standards