Twitter Fails To Impress With Two-Factor Authentication Launch

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

2FA finally introduced, but it’s not the most secure kind.

Micro-blogging giant Twitter has launched two-factor authentication, after a string of attacks saw high-profile user accounts compromised, but security experts still aren’t convinced by its efforts.

with impeccable timing, Megaupload creator Kim Dotcom tossed in a claim that he invented 2FA, including a link to a patent application.

In recent weeks, a host of media organisations have seen their Twitter accounts hacked by the Syrian Electronic Army, which is allegedly part-sponsored by the regime of President Bashar al-Assad. The FT, the Daily Telegraph, the BBC and Al-Jazeera were amongst the group of news providers who had their accounts compromised.

Finally, two-factor authentication

Blue bird, Twitter © ruforester FotoliaPressure has mounted on the social media firm to improve its security. Now Twitter has introduced a very basic version of two-factor authentication, allowing users to log in with a password and a code sent to their mobile via SMS.

“This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers),” said Jim O’Leary, from the Twitter product security team, in a blog post.

“However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned.”

But as many have noted, the SMS method is not hugely secure when compared to others. Prevalent mobile spyware is known to siphon off text messages. Perkele, which TechWeekEurope recently saw selling for thousands on the Web’s dark markets, is one such piece of kit. Indeed, its main aim is to forward on text messages to the crooks running the Perkele operation.

Microsoft and others, including various banks, offer an authenticator app that receives a code over a separate protocol, which is in theory a more secure method. Google offers both.

Security experts, including F-Secure’s Sean Sullivan, have voiced their concern, asking Twitter why it hasn’t gone further.

“To me, SMS is too ‘public’. And it’s limited to one device. It’s good to have for folks who don’t use smart phones – but given the accounts that are being hacked – that isn’t really the use case,” Sullivan told TechWeekEurope. “SMS is a cheap and dirty way to implement two-factor – Twitter can (and should) do better.”

And, as Twitter admitted, it hasn’t signed deals with all mobile carriers, meaning many won’t be able to take advantage of the two-factor authentication anyway.

When your reporter set up Twitter two-factor authentication today, it was clear the firm had signed deals with a handful of operators, but not EE, currently the only 4G operator in the UK. Orange, which is owned by EE, is included, as are Vodafone, O2, Three, Lycamobile and Sure from Cable & Wireless.

After assuming the Orange option would cover EE and T-Mobile users, your reporter, an EE customer, gave Twitter his mobile details, logged out, tried to log back in, but had not received any code, despite numerous attempts.

Your reporter was still able to access Twitter, thanks to Tweetdeck, which kept him logged in, even though login details have changed. Two-factor login did work with another reporter’s account, using Three’s network.

Kim Dotcom: I invented 2FA

Meanwhile, Kim Dotcom, the man behind Megaupload, for which he is now a wanted man in the US, has claimed he invented two-factor authentication. In a tweet, he linked to a patent application, entitled ‘Method for authorizing in data transmission systems’, signed off by Kim Schmitz – his real name.

Indeed, the application, filed in 1998 and published in 2000, does detail a system where a separate transaction authorisation number (TAN) is selected.

But Dotcom didn’t get a wholly positive response to his tweet, with users noting how patenting such a thing rather than delivering it to the open source community would appear to go against his morals.

Others simply denied that he invented it, with one pointing to another patent from Per Johan Falk and Rutger Erik Bjoern Jonsson, filed in 1995, covering a method “providing an authentication unit which is separate from pre-existing systems”.

Another from Nokia employees from 1997 appeared to show another kind of 2FA. So it seems Dotcom only “invented” a kind of 2FA after others had officially pioneered the idea.

UPDATE: Whilst Twitter support didn’t provide much help, and there is little advice on two-factor auth online, it appears texting STOP to 86444 in the UK kills two-factor. Your reporter did not receive any confirmation from Twitter when  sending GO to that number to set up the mobile functionality in the first place, nor was there a response on texting STOP.

Are you a security expert? Try our quiz!