Two-factor authentication won't protect Twitter, Google: OneID

Although Twitter is looking for an engineer to implement two-factor authentication for its users, it still won't prevent a repeat of the recent attack that saw 250,000 users exposed, according to OneID founder Steve Kirsch.

Two-factor authentication provides an additional effective step to thwart would-be attackers from taking over users' accounts, but it is currently not an option for Twitter users. On the back of recent attacks on the site, many have been calling for Twitter to implement it, but, according to Kirsch, even if Twitter does roll out the security measure, it won't prevent the attack from occurring.

While not dismissing two-factor authentication systems' effectiveness at preventing existing phishing attacks from being successful, Kirsch said that the number of people signing up for it in existing services is abysmal, and doesn't do much for improving overall security.

"From a practical point of view, it would be like offering a feature that no one used," he said.

Given that many attacks are opportunistic, focusing on the number of accounts that attackers and scammers can hack, Kirsch said that it would barely make a difference. In fact, he said that introducing two-factor authentication would hurt the user experience.

"Even adding a single character to a password in Twitter — if you require nine characters versus eight characters — even just doing that requirement measurably affects sign-up rates and so forth. Twitter wants to do whatever it can to make it easier for customers, and adding two-factor authentication is moving in exactly the wrong direction," he said.

"Even if they move to two factor, and even if everyone adopted it, which they wouldn't ... it'll make no difference."

The reason for this is that the most recent attack on Twitter wasn't conducted on users' accounts; it was on Twitter's own infrastructure. By directly attacking the servers containing the password hashes of Twitter users, two-factor authentication would make little difference.

Kirsch admitted that although user passwords might be salted and hashed, if attackers have compromised a server to the point where they can retrieve that information, it would be likely that they could do worse. This includes sniffing users' passwords as they enter the server, and converting them into hashes to be compared. Such examples have been documented for some time, where sensitive information that's sent to a web server is intercepted as it appears in plain text in the machine's RAM prior to processing.

Kirsch said that at the centre of the attack is the fact that Twitter, along with many other organisations that already use two-factor authentication, relies on a "shared secret" — a user password, whether it is eventually converted into a hash, a keyfile, or similar.

He argued for a better system, where even if the server is completely compromised, it would still be impossible to gain access to users' information. And he says that such a system has existed for years.

Kirsch is pushing for companies like Twitter and Google to use public key cryptography. In this case, if attackers wanted to retrieve passwords for accounts, they wouldn't have a single point that they could break into, because the only thing they would obtain from centralised servers are public keys, which are useless by themselves. The private keys — the other part of the "secret" needed to secure communications — would be located on users' machines, jointly opening the possibility to remove passwords altogether.

"We basically said, let's take a clean sheet approach to the problem and design a solution that eliminated the use of shared secrets, used modern-day cryptography, and that made it user friendly. The result is a system that has the security that is far better than even using those hardware tokens and so forth, but yet has the ease of use of Facebook Connect."

As for why it hasn't been adopted in greater numbers yet, Kirsch said that the relative complexity of public key cryptography schemes has been user unfriendly, but that those days are numbered.

"It's the advances in browser technology; things like having HTML5 local storage, things like JavaScript, which is powerful enough to run these cryptographic algorithms; things like the invention of elliptic curve cryptography, which makes the computation very fast.

"All of these factors have come together to finally and after all these years — after 30 years — we can finally make this public key-digital signature world a reality. [Users] can essentially have one username, one password, that they can use everywhere and that even if there's a breach of any site, or multiple sites, that it doesn't matter. That will truly change usability for everyone."