Tuesday, May 28, 2013

Twitter 1-and-a-half Factor Authentication

   As you may have read, and hopefully enabled, Twitter added a 2-factor authentication capability last week.

   If you haven't yet turned this on, here's how.  Log in to Twitter; select Settings; select Mobile; add and activate your phone.  Here are the detailed instructions for adding your phone number. To enable 2-factor authentication, select Account, then check the box labeled: Account security

   Here's the good news... as I've discussed in the past, I am a fan of using some kind of 2-factor auth for website authentication.  I also like the use of a smartphone for delivering that one-time-use PIN or code.  While we still have a digital divide in the US, most people do have a cell phone, and most of those have a smartphone.

   But there are some issues.
   First, why did Twitter implement their PIN delivery via sms text message?  Why not use Google Authenticator?  It's a great tool.  And now that Google has joined the FIDO Alliance, we can look forward to more synergy with Google Auth.

   Of course, if you lose your smartphone then you can't log in to Twitter.  And logging into Twitter from your smartphone is essentially at most 1-factor because all you need is the password (if the phone isn't already logged in), and the PIN code will come to that phone as a text message.  (yes, Google Auth also runs on that same phone so it is the same situation).

   One interesting idea I've heard is to use a Google voice number for Twitter 2-factor.  You can provide that number to Twitter.  Then receive the texts to that number both on your smartphone and computer.  If your phone was lost, you could then still connect to Twitter (to tweet that your phone is lost!).

   Among the bigger issues with online authentication are cross-site linkages.  The most common of these is password reuse - simply using the same credentials for more than one site, for example using your Facebook id and password to log in to Twitter.  If you are reusing credentials, adding 2-factor here will only protect your Twitter account, not other accounts using the same password.

   But wait, there's more!  And here is where things get interesting.  Many people don't use the Twitter client or TweetDeck to access their Twitter account.  There are many alternate clients.  When you set up one of these clients, you grant to software access to your Twitter account.  Now... when you initially grant access and have Twitter 2-factor enabled, you will need to provide the access code.  But not for subsequent connections!  This bypasses the extra security.  And, if your Hootsuite or UberSocial (both clients I like and use) account has a poor or reused password, then this provides another vector to your Twitter account.

   There are other potential issues listed here.
   These issues aside, I do recommend enabling this new feature.  Here are my recommendations:
  1. create a long Twitter password
  2. use a password vault (and if you use LastPass then enable Google Auth)
  3. enable Twitter 2-factor authentication
  4. if you have any alternate clients, revoke their access from Twitter, then re-establish access with a Twitter 2-factor code
  5. create long passwords on any alternate Twitter clients
   Hopefully we will see great use of 2-factor, and integration with FIDO-enabled tools, across a wider variety of online sites.

No comments:

Post a Comment