back to article Twitter locks down logins by adding two-factor authentication

Twitter has joined the growing number of companies offering two-factor authentication to prevent logins being stolen – a fate several high-profile users of its service have suffered recently. A new checkbox is being added to the Settings pages of Twitter accounts to enable the new feature. When checked, an SMS message containing …

COMMENTS

This topic is closed for new posts.
Terminator

Yes.. let's all give Twitter Inc a huge dBase of active phone numbers to 'look after'.. thats.. a smashing idea.

0
0
Anonymous Coward

I don't care about Twitter

so in that instance I won't bother, but I take my gmail account seriously and have switched to two factor identification there. It is surprisingly convenient, because you have the option of drastically reducing the number of challenges sent when using your usual PC (monthly, I think). Google also supplies an app that generates a unique code every few seconds, so you can choose to use that instead of SMS if you prefer.

2
0

Re: I don't care about Twitter

Same here, although the application specific password feature is a little puzzling. I was hoping Twitter would bring out an app much like Google's and the ones for WoW, RIFT & SW:ToR - never sure if the SMS options incur charges or not...

0
0
Anonymous Coward

RFC 6238

Other companies that have already introduced multi-factor authentication in the past few years include Google, Facebook, Yahoo, Amazon Web Services, Dropbox, Blizzard's Battle.Net, and Valve's Steam.

Microsoft last week also began rolling out two-factor authentication that operates similarly to Google's system, and issues one time codes by text message or, in instances where the user is not connected to a network, a code is generated by a smartphone app called Microsoft Authenticator.

The app supports a standard protocol — thought to be RFC 6238, according to Ars Technica — and means that Google's 'Google Authenticator' can also be used to generate that code for Microsoft's two-factor system. Dropbox's two-factor authentication also supports the standard.

From this article.

0
0
FAIL

Re: RFC 6238

From an Ars article and comments, it appears that Twitter's implementation is flawed and limited and does not support RFC6238. You have to be sent a code every time you log in, and you cannot approve particular devices or browsers. In addition "The relationship between phones and accounts is also strictly one-to-one: if you have a shared business account, you're going to need to share a phone number too. If you have multiple accounts and only one phone number, then you can only secure a single account."

See http://arstechnica.com/security/2013/05/twitter-launches-two-factor-authentication-too-late-to-save-the-onion/

1
0
Silver badge

Re: RFC 6238

I wouldn't trust anything I read in Ars comments. Their commentards are an ignorant and unintelligent bunch of reactionaries. And, the articles aren't much better really.

1
0
Jin

Do not forget the value of passwords.

Should the 2-factor authentication be thought to justify the re-use of passwords, our left hand could be losing what we grasped by the right hand.

0
0
Anonymous Coward

Onion uses Windows?

Isn't that usually the problem?

2
0
Anonymous Coward

Just needs a multi-stage posting process now.

"Are you sure you want to post such drivel?"

"Are you sure you want to post that and possibly lose your job?"

etc.

0
0

Great for individuals. What about companies?

Can you have multiple user IDs access a single Twitter account yet? Or are they still peddling the idea that companies run their Twitter account from one PC, with one user not sharing the password with anyone? I'm sure that works cos employees never quit or go rogue *cough* HMV *cough*.

Ref: http://www.bbc.co.uk/news/technology-22351987

0
0
Anonymous Coward

It's time to cash in

I'm sure Kim Dotcom's paid liars will be suing Twitter if they don't pay Kimi for the use of two-factor authentication... which he claims to have invented. Yeah, it I pretty laughable.

0
0
Silver badge

Re: It's time to cash in

I don't think it's any more laughable than any other software patent. Although in this case the fallout could be more entertaining than is generally the case.

0
0
Bronze badge

its cheaper to do what http://sourceforge.net/projects/nullnuke/ and use a serverside key to cypher the base64 in the users local cookie, anyone without the pass key or the php code cannot get the user login just by a base64 decode of the cookie string

the cyphered base64 is sent and recieved

0
0
This topic is closed for new posts.

Forums