Twitter’s two-factor system is not an application or token-based approach, but instead is strictly tied to a user’s mobile phone via SMS.
Wolfgang Kandek, CTO of security firm Qualys, told eSecurity Planet that he likes the way that Twitter has implemented two-factor authentication. “SMS message to a registered phone is widely usable and very much in line with the original character of the Twitter service,” he said.
That said, Kandek points out it does not solve the problem where multiple people need access to a “shared” account, as was the case with the recent exploit of the AP’s Twitter account.
“We either need authorized accounts to modify the master account, or these scenarios will have to be covered with Twitter applications that are authorized through the new temporary and strong passwords that one has to generate in the Settings section of Twitter,” Kandek said.
Jim Fenton, CSO of OneID, is not a fan of the new Twitter login verification system. In his view it doesn’t fix the real security problem.
“I turned it on and now, any time I want to log in to the Twitter website, it first waits for me to successfully enter username/password. If correct, it sends me a six-digit code to type in,” Fenton said. “This is helpful if someone gets a hold of my password, but there are a lot of other vulnerabilities this doesn’t cover.”
Fenton noted that in his case, he doesn’t actually log into Twitter very often since his browser simply stay logged in via cookies and his apps stay logged in via OAuth tokens.
“So even if they can’t log in as me, if they can get (perhaps via malware) my browser cookies or the OAuth tokens for any of my Twitter apps, they can still access my account,” Fenton said.