Twitter Finally Turns On Two-Step Verification
Twitter has finally caught up to Facebook, Google and Microsoft: It has created a much-needed two-factor verification feature to mitigate account hacks and takeovers.
The optional feature, also known as two-step authentication, requires users to enter a single-use numeric code, sent to the user's phone, in conjunction with a traditional password, when they log in.
Twitter's move follows a steady stream of unauthorized account takeovers of high-profile "branded" Twitter accounts, including those of Jeep, Burger King, the Associated Press and the satirical publication The Onion.
However, due to the way the new security feature is designed, it's going to make things very complicated for corporate Twitter accounts, and it's not clear if it'll help prevent hijacks.
The Associated Press Twitter hijacking on April 23 was especially noteworthy — its single unauthorized tweet caused the stock market to take a brief but dramatic dive.
"Breaking: Two Explosions in the White House and Barack Obama is injured," read the unauthorized AP tweet, later attributed to a pro-Syrian government group known as the Syrian Electronic Army.
Easy to set up, perhaps not so easy to use
Users who wish to enable Twitter's two-step authentication can do so by going into their settings menu and selecting the "Require a verification code when I sign in" box. A mobile-phone number will need to be linked to the account.
However, Twitter's two-step verification scheme will require users to enter a unique numeric code every time they use a Web browser to log on. That might get annoying fast.
Other two-step tools avoid this hassle by placing cookies onto users' browsers. Gmail users, for example, need to use numeric codes only once on frequently used computers such as home and workplace PCs.
Twitter's every-time policy may backfire by causing some users to avoid two-step verification altogether or, even worse, to stay perpetually logged into Twitter on every computer. (Doing so could create more opportunity for account hijackers.)
Users who use third-party desktop clients and mobile Twitter apps, such as Osfoora and Tweetdeck, can't use the numeric code.
Instead, if users choose to enable two-step verification, they will need to have Twitter generate temporary passwords for each app and client. (Google does the same with its mobile apps.)
Users will need to use the temporary passwords only once, since Twitter apps and clients are technically always logged in.
“With login verification enabled, your existing applications will continue to work without disruption," Twitter security staffer Jim O'Leary wrote in a company blog posting explaining the two-step option.
We're still unsure about how this feature will work for branded Twitter accounts, which often have multiple users, sometimes scattered across different time zones, sharing a single password.
On Facebook, corporate employees access branded pages through their personal Facebook profiles, but Twitter doesn't work that way.
Unless Twitter's verification tool is somehow able to handle multiple phone numbers, only one person will be able to receive the numeric code on his or her phone in order to log in through a Web browser.
Alternatively, multiple users of a branded Twitter account could use a third-party client or app that stays logged in. But every potential user would have to be set up by logging in during the validity period (usually 24 hours) of the client's temporary password.
Despite this confusion, we can't overemphasize the security benefits of two-step verification. If you have a Twitter account — or accounts with Google, Yahoo, Microsoft, Dropbox, Facebook or Apple — set it up now.