Twitter 'rolling out two-factor authentication soon'

Twitter two-factor authentication could be here sooner rather later with internal tests thought to be already underway.

Twitter is reportedly testing a two-factor authentication system that it hopes to roll out to users shortly.

Read this

Twitter for Windows 8, Windows RT now in the Windows Store

Twitter's native client for Windows 8 and Windows RT is available for download, as of March 13.

Read More

Two-factor authentication could offer some defence against high-profile Twitter accounts being hacked, and follows in the wake of recent incidents where the accounts of CBS's 60 Minutes and Associated Press were stolen and, in the latter case, used to claim that US President Barack Obama been injured in an explosion at the White House. The false alarm briefly sent the Dow Jones falling by around 140 points. 

Now Twitter is internally testing a two-factor or multi-factor authentication, according to Wired, with a view to putting it into users' hands before too long. Such a system typically requires the user to enter their username and password, as well as prove their identity through another factor, such as inputting a one-time password sent to their mobile device or ID key.

Twitter reset over 250,000 passwords to user accounts in early February after noticing unusual access patterns and recently posted a job vacancy for a security engineer to develop user-facing multi-factor authentication.

Other companies that have already introduced multi-factor authentication in the past few years include Google, Facebook, Yahoo, Amazon Web Services, Dropbox, Blizzard's Battle.Net, and Valve's Steam.

Microsoft last week also began rolling out two-factor authentication that operates similarly to Google's system, and issues one time codes by text message or, in instances where the user is not connected to a network, a code is generated by a smartphone app called Microsoft Authenticator.

The app supports a standard protocol — thought to be RFC 6238, according to Ars Technica — and means that Google's 'Google Authenticator' can also be used to generate that code for Microsoft's two-factor system. Dropbox's two-factor authentication also supports the standard. 

One problem raised by Wired with two-factor authentication in the case of Twitter is how to deliver one-time passwords to accounts that have multiple users accessing that account through a variety of applications.

Google's two-factor system does have a way of handling this through the use of "application-specific passwords", which, on accounts where two-factor is enabled, allows users to establish a network of trusted devices.

An application signed with the password allows a user to establish ongoing access between Gmail and an email client like Outlook or Apple's Mail without requiring a new code every time.

Google's video explaining how that works is here