Twitter released its two-factor authentication option today, after major media organizations were tricked into giving out their login information to hackers.
Two-factor authentication is an extra form of security when logging into an account. It can come in a few different forms but generally involves some kind of code that users must input alongside their username and password. This code can be supplied through a mobile application such as Google’s Authenticator app, a text message, or a piece of hardware like RSA dongles. The code is often activated and deactivated within a short period of time, so if one code is leaked out, it can’t be used in the future to access an account.
Twitter is using a text-messaged code approach, according to its announcement today. Text messaging covers a much larger portion of the population, as opposed to an app, which requires users to have a smartphone. Twitter warns that some carriers may not support the technology.
You can turn two-factor authentication on by going to your account settings in Twitter and selecting “require a verification code.” You’ll then have to enter a phone number. After two-factor is set up, you will have to enter the code every time you log in to Twitter.
A number of big-name companies have rolled out two-factor authentication as a result of hackings, including Apple. Twitter recently experience a rash of “break ins” involving the accounts of major media publications CBS, NPR, the Associated Press, and more. The Syrian Electronic Army, a pro-regime group of hackers that often attacks publications for their coverage of the conflict in Syria, has taken responsibility for the majority of these hacks. It says it usually gets access through phishing expeditions, where the group will send emails that look legitimate to employees of their target company asking for login credentials.
In the case of the AP, a tweet about an explosion at the White House caused the Dow Jones Industrial Average to drop one percent in a minute. PhishMe chief executive Aaron Higmee explained that consumer-facing sites often leave these codes active for longer than usual because consumer sites don’t like having any barriers to entry. If a hacker phished a code and it still worked, then the two-factor authentication is useless. Jim Fenton, the chief security officer of OneID, also argues that two-factor authentication is breeding a false sense of security.
Twitter explains that now it has the two-factor technology in place, this opens the doors to future security elements to be introduced.