Twitter intros two-factor authentication to quash hacking spree

Twitter has responded to the spate of security breaches on high-profile accounts by rolling out a new login system to foil hackers targeting the social network.

Rolling out to user accounts now is an option to “Require a verification code when I sign in,” which is accessible via settings and brings two-factor authentication to Twitter for the first time.

The feature enables users to add their phone number to the system, so every time a new device attempts to log in to the account, they are texted a code to be entered after the username and password stage of the login process.

As a result, hackers who obtain login credentials will not necessarily be able to enter the account thanks to the second layer of authentication. Many security commentators have been calling for Twitter to implement such a system in recent months, following a chain of breaches that attracted headlines.

Notable victims this year include the BBC, Guardian, The Financial Times, The Onion, Burger King, and Jeep, and while most of the hacks have led to largely harmless spoof tweeting, an attack on the Associated Press account in April saw the hackers post that an explosion had taken place in the White House, causing the US stock market to briefly nosedive.

“Of course, even with this new security option turned on, it’s still important for you to use a strong password and follow the rest of our advice for keeping your account secure,” Twitter says.

“This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers). However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned.”

David Emm, Senior Security Researcher at Kaspersky Lab, welcomed the move, but warned that SMS-based authentication may not necessarily solve the issue.

"It's easy to see why Twitter has chosen to use SMS as the second authentication method. Nearly everyone today has a mobile phone, so this method doesn't require people to carry around an extra token or device that generates the one-time passcode. Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers," Emm comments.

"However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn't require login credentials to be entered each time. This means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication."