Twitter rolls out two-step authentication after hack attacks
23 May 2013
Following several high profile hack attacks Twitter is finally rolling out a two-step authentication process to ensure a level of user security.
The microblogging platform playing down account compromises as occasional occurrences in its announcement today, pointed out that every so often account owners alerted it to email phishing schemes or password breaches happening elsewhere on the web.
However, after the media reported a false tweet that rocked the US stock market, not to mention attacks on Burger King, Jeep and The Onion, Twitter has introduced a two-step security routine.
"When you sign in to twitter.com, there's a second check to make sure it's really you," Twitter's announcement assured.
Users can enable the feature through account settings and selecting "require a verification code when I sign in." With a confirmed mobile number and email address, any user can get the two-stop system up and running.
After login verification, users would need to enter a 6-digit login code sent via SMS, every time they signed into Twitter. Twitter said existing apps would continue to work uninterrupted even after verification was enabled.
The Twitter team has also laid out the new policy in a one-minute video.
The move has elicited much criticism from security experts, who questioned as to why a company with more than a billion dollars in venture financing, and over 200 million active users, did not have two-factor authentication.
With two-factor authentication users get a second, one-time log-in code by text message to make it harder for a hacker to crack into an account with just the main password. Twitter said in a blog post that it would start offering the two-step authentication procedure, which was voluntary on the part of users, on Wednesday.
Commentators point out that two-step authentication was not foolproof. Several employees are often assigned to manage Twitter accounts for larger brands and news outlets, while only one employee would receive the log-in code, and in such situations other employees would only be able to access the account from their usual devices, or would need to get the one-time code from the administrator – a hassle that might discourage brands from using the security feature altogether.
Experts point out that even with two-factor authentication enabled, attackers could still hijack a user's account by impersonating Twitter in what is known as a man-in-the-middle attack.
However, they point out that it still raised the bar and made hacking into an account significantly harder.