Modernizing Authentication — What It Takes to Transform Secure Access
Simply logging into Twitter with a single username and password isn't enough anymore.
In recent months, the weakness of the single username/password system on Twitter has been exposed with high profile exploits. Twitter is rolling out the solution, or at least part of it, with a new layer of login verification.
The login verification is a form of two-factor authentication, which requires users to login with a second identifier in order to get access. Two-factor authentication is already used by Google, Facebook, Paypal and Apple among others.
Twitter's two-factor system is not an application or token-based approach, but instead is strictly tied to a user's mobile phone via SMS.
How To Implement Twitter's New Login
For users, implementing the new two-factor system is a simple process.
In the Account Settings page of a Twitter account, users need to check the "Require a verification code when I sign in" box. In order to check the box, users will need to add a mobile phone number to their Twitter account.
Once the box is checked, Twitter sends an SMS to ensure that everything works. Twitter also warns users that future logins will not work without the verification code that will be sent via SMS.
Finally Twitter asks users to re-enter their Twitter password in order to save changes to their account. After the changes have been saved, users will need to enter the verification ID number that Twitter provides via SMS each time they log into Twitter.
Does Twitter's New System Work?
Wolfgang Kandek, CTO of security firm Qualys, told eSecurity Planet that he likes the way that Twitter has implemented two-factor authentication. "SMS message to a registered phone is widely usable and very much in line with the original character of the Twitter service," he said.
That said, Kandek points out it does not solve the problem where multiple people need access to a "shared" account, as was the case with the recent exploit of the AP's Twitter account.
"We either need authorized accounts to modify the master account, or these scenarios will have to be covered with Twitter applications that are authorized through the new temporary and strong passwords that one has to generate in the Settings section of Twitter," Kandek said.
Jim Fenton, CSO of OneID, is not a fan of the new Twitter login verification system. In his view it doesn't fix the real security problem.
"I turned it on and now, any time I want to log in to the Twitter website, it first waits for me to successfully enter username/password. If correct, it sends me a six-digit code to type in," Fenton said. "This is helpful if someone gets a hold of my password, but there are a lot of other vulnerabilities this doesn't cover."
Fenton noted that in his case, he doesn't actually log into Twitter very often since his browser simply stay logged in via cookies and his apps stay logged in via OAuth tokens.
"So even if they can't log in as me, if they can get (perhaps via malware) my browser cookies or the OAuth tokens for any of my Twitter apps, they can still access my account," Fenton said.
Are Apps the Real Security Issue?
While some people log in to Twitter.com to tweet, others typically use an app that is connected to their Twitter account. In the app case, Twitter will now need to generate a one-time password for each app in order for users to access the service.
Fenton sees the app password generation approach as a usability challenge.
"If the app is on the same device as your browser, you can cut and paste the temporary password," Fenton said. "If not, you will need to retype something like: 5qdOWvy8lVGy. This is awful to do on a phone, and you need to figure out whether that's the letter O or a zero, and a lowercase l or the digit 1."
The challenge with the use of one time passwords for apps is that it gives the user a token that's shared with all of the other users of that app on that Twitter account.
"So it isn't possible to revoke a single instance of an app, and it isn't possible to discern which of possibly many users who have access to a corporate account were compromised if an unauthorized tweet goes out," Fenton said. "This is, most likely, the real security problem that AP and others experienced, not disclosure of the account password."
Enterprise Best Practices
Simply enabling the new two-factor system for Twitter isn't enough to ensure security, especially for multi-user corporate accounts.
Richard Henderson, security strategist at Fortinet's Fortiguard Threat Research & Response Labs, told eSecurity Planet that companies looking to adequately protect their social media accounts from highjacking and embarrassment need to look beyond two-factor authentication.
"Most importantly they should have a dedicated computer that is used solely for social media posting, and not piggyback that task on Mister or Miss Marketing's regular PC that they use for email and daily work," Henderson suggests. "By reducing the threat footprint for attackers to potentially gain access from, you limit the chance that an attacker will be able to successfully plant malware or tools that will steal credentials and gain access to those social media accounts."
Henderson also suggests that users remove all unneeded software from the dedicated social media computer. He also recommends the use of a dedicated social media posting client like Hootsuite, which will also limit exposure to threats like drive-by-download and watering hole type attacks through the Internet browser.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.