Security-watchers don't appear overly impressed with Twitter's introduction of two-factor authentication (2FA) to its service. While some infosec experts welcomed the move, others argued that while it might help protect the accounts of individuals, it is ill-suited to the safeguarding of shared accounts of organisations - many …
sweet FA then
Have that many corporate accounts been compromised or is that just the excuse when they are caught saying things that they regret.?
2FA only when changing login method
I thought most 2FAs came into action only when you log in via a non-recognised machine, basically you didn't have a cookie set. I didn't think it required the 2FA every time you login, that would be very irritating for something that is not top secret. So it's not really a problem for corporate accounts. Just requires the "phone owner" to pass on the 2FA when users are given their new corporate laptop/blackberry/etc. Not such a palaver afterall.
I'll be thick
When you tweet to regvulture you tweet to @regvulture
So now you become
at which point your staff become
Now you have differentiated the names you cam SMS them their different 6 digit second stage authentication numbers.
You wait for a bus and then 6 come along at once
The problem as I see it (as an ordinary plebeian user) is that more and more services are now jumping on the 2FA bandwagon. This isn't a problem in itself, and I got quite excited when Twitter announced the new option; gosh, maybe I could even use one of the 2 2FA devices I now possess. But noooo. It has to be SMS, so my phone becomes a key part of my Twitter experience and it now becomes important not to lose it or stray out of a signal area. No mention of fallback codes that I can keep in my wallet.
And of course, if I was a conspiracy theorist I'd say how uncomfortable I was with people I've never met being able to link my phone number with my Twitter account: not that I've anything to hide of course..