Twitter has a working two-step security solution undergoing internal testing before incrementally rolling it out to users, something it hopes to begin doing shortly, Wired has learned.
Such a system will drastically reduce the risk of Twitter users having their accounts hacked, something that has been experienced by everyday users and major companies like the Associated Press, the BBC and 60 Minutes.
Two-step (also known as two-factor or multifactor) authentication can prevent a hacker from gaining access to an account far more effectively than a password alone. When logging in from a new location, it requires users to enter a password and a randomly generated code sent to a device, typically via a text message or smartphone application. In other words, accessing an account requires having two things: something you know (the password) and something you have (a previously registered device).
Twitter posted a job listing for software engineers in February to build such a solution.
The need for such protection was underscored yet again today when the Associated Press had its Twitter feed hacked. The hacker sent a bogus announcement of an explosion in the White House that injured President Obama. According to the AP, this likely happened via a phishing attack in which a user was tricked into handing over a password. Two-step verification would have prevented that.
While it is unclear exactly how or when Twitter will roll out two-factor, the recent spate of high-profile account hackings likely added a sense of urgency to getting something out the door. I would be very surprised if the company doesn’t have something out the door within the coming weeks -- at least in beta testing mode for highly visible organizations like the AP, The New York Times, and Justin Bieber.
Given the increasing frequency of attacks, like today’s attack on the AP, or recent ones against the BBC and 60 Minutes, it seems like it would behoove the company to get something out now, even if imperfect, and iterate later. That might mean launching with an SMS only solution, but even that would be better than the current system that relies on passwords alone. One interesting wrinkle with two-step and Twitter is that many of the accounts most prone to hacking have multiple, sometimes very many, users who use a variety of applications. Which means that any solution is likely going to have to support multiple devices, and multiple apps.
While it's been a long time coming, this is a great move. Two-step isn't perfect, but it’s a pretty effective stop-gap that’s been becoming more and more popular as passwords become increasingly ineffective against the myriad threats now posed by everything from password reuse to malware.
