Twitter 'rolling out two-factor authentication soon'

Twitter two-factor authentication could be here sooner rather later with internal tests thought to be already underway.
Written by Liam Tung, Contributing Writer on

Twitter is reportedly testing a two-factor authentication system that it hopes to roll out to users shortly.

Two-factor authentication could offer some defence against high-profile Twitter accounts being hacked, and follows in the wake of recent incidents where the accounts of CBS's 60 Minutes and Associated Press were stolen and, in the latter case, used to claim that US President Barack Obama been injured in an explosion at the White House. The false alarm briefly sent the Dow Jones falling by around 140 points. 

Now Twitter is internally testing a two-factor or multi-factor authentication, according to Wired, with a view to putting it into users' hands before too long. Such a system typically requires the user to enter their username and password, as well as prove their identity through another factor, such as inputting a one-time password sent to their mobile device or ID key.

Twitter reset over 250,000 passwords to user accounts in early February after noticing unusual access patterns and recently posted a job vacancy for a security engineer to develop user-facing multi-factor authentication.

Other companies that have already introduced multi-factor authentication in the past few years include Google, Facebook, Yahoo, Amazon Web Services, Dropbox, Blizzard's Battle.Net, and Valve's Steam.

Microsoft last week also began rolling out two-factor authentication that operates similarly to Google's system, and issues one time codes by text message or, in instances where the user is not connected to a network, a code is generated by a smartphone app called Microsoft Authenticator.

The app supports a standard protocol — thought to be RFC 6238, according to Ars Technica — and means that Google's 'Google Authenticator' can also be used to generate that code for Microsoft's two-factor system. Dropbox's two-factor authentication also supports the standard. 

One problem raised by Wired with two-factor authentication in the case of Twitter is how to deliver one-time passwords to accounts that have multiple users accessing that account through a variety of applications.

Google's two-factor system does have a way of handling this through the use of "application-specific passwords", which, on accounts where two-factor is enabled, allows users to establish a network of trusted devices.

An application signed with the password allows a user to establish ongoing access between Gmail and an email client like Outlook or Apple's Mail without requiring a new code every time.

Google's video explaining how that works is here

Editorial standards