Twitter dumps SMS form of two-factor for significantly more secure method
The key change is that Twitter is no longer using verification codes sent over SMS text messages. Instead, it has adopted a more secure method involving cryptographic key exchanges and the mobile Twitter app.
Twitter does smarter security
As soon as users sign up to two-factor authentication, their phone generates an asymmetric 2048-bit RSA keypair. The private key is stored locally on the device, whilst the public key is kept on Twitter servers.
“Whenever you initiate a login request by sending your username and password, Twitter will generate a challenge and request ID –– each of which is a 190-bit (32 alphanumerics) random nonce –– and store them in memcached,” Twitter explained, in a blog post. Each is a “nonce”, a string designed to be used only once.
“The request ID nonce is returned to the browser or client attempting to authenticate, and then a push notification is sent to your phone, letting you know you have a login verification request.
“Within your Twitter app, you can then view the outstanding request, which includes several key pieces of information: time, geographical location, browser, and the login request’s challenge nonce. At that point, you can choose to approve or deny the request.”
For users who don’t have their phone, a backup code can be used. That backup code is protected with extensive hashing.
Twitter encouraged users to store the code safely and backup the cryptographic material stored on phones.
The micro-blogging firm failed to impress when it launched two-factor authentication in May, receiving criticism for using the SMS method. Critics also noted that organisations would not be able to use the extra layer of protection unless all users of a Twitter account shared the same computer.
Many recent Twitter account hijacks have hit media organisations, where multiple users are responsible for updating profiles, making two-factor authentication almost impossible to implement effectively. Twitter is yet to address that latter issue properly.
What do you know about Internet security? Find out with our quiz!