Twitter has introduced a new two-factor security system – an optional “extra layer” of security which should help to prevent unauthorised access to accounts. The move comes in the wake of a series of high-profile attacks on Twitter accounts owned by media organisations including Associated Press and the Financial Times.
The new, SMS-based system was announced via a post on the official Twitter blog.
“Today we’re introducing a new security feature to better protect your Twitter account: login verification,” said Jim O’Leary of the site’s Product Security Team in his post. “This is a form of two-factor authentication. When you sign in to twitter.com, there’s a second check to make sure it’s really you. You’ll be asked to register a verified phone number and a confirmed email address. ”
“After you enroll in login verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS each time you sign in to twitter.com,” O’Leary writes. The system has to be activated via Twitter’s “Account Settings” page.
ESET Senior Research Fellow David Harley says, “I’m not a fan of static passwording – in fact, I was reminded of something I’ve said before in a paper: ‘The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques.'”
“So the gradual drift towards two factor by social media sites is encouraging, though I doubt that too many people will take advantage of such facilities while they’re just optional. In fact, Twitter did take a more forceful approach a few years ago by preventing people from using any passwords from its own blacklist of the most stereotyped passwords: I referred to it in a paper on PINs and passwords.”
Pressure on Twitter to improve security has grown in recent weeks, after a spate of incidents including an attack on the main Associated Press Twitter account where hackers sent out bogus “news” about an attack on President Obama. The AP Tweet caused panic on stock markets, wiping 143 points off the Dow Jones in minutes. Twitter previously provided media companies with guidelines on how to resist such hacks, including steps such as designating specific PCs to access company Twitter accounts.
“This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers). However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned,” said O’Leary.
Author Rob Waugh, We Live Security