Security Twitteratti: Twitter's 2FA does sweet FA for biz Security-watchers don't appear overly impressed with Twitter's introduction of two-factor authentication (2FA) to its service. While some infosec experts welcomed the move, others argued that while it might help protect the accounts of individuals, it is ill-suited to the safeguarding of shared accounts of organisations - many …
I thought most 2FAs came into action only when you log in via a non-recognised machine, basically you didn't have a cookie set. I didn't think it required the 2FA every time you login, that would be very irritating for something that is not top secret. So it's not really a problem for corporate accounts. Just requires the "phone owner" to pass on the 2FA when users are given their new corporate laptop/blackberry/etc. Not such a palaver afterall.
https://twitter.com/regvulture
When you tweet to regvulture you tweet to @regvulture
So now you become
https://twitter.com/@regvulture
at which point your staff become
tom@regvulture
dick@regvulture
harry@regvulture
Now you have differentiated the names you cam SMS them their different 6 digit second stage authentication numbers.
The problem as I see it (as an ordinary plebeian user) is that more and more services are now jumping on the 2FA bandwagon. This isn't a problem in itself, and I got quite excited when Twitter announced the new option; gosh, maybe I could even use one of the 2 2FA devices I now possess. But noooo. It has to be SMS, so my phone becomes a key part of my Twitter experience and it now becomes important not to lose it or stray out of a signal area. No mention of fallback codes that I can keep in my wallet.
And of course, if I was a conspiracy theorist I'd say how uncomfortable I was with people I've never met being able to link my phone number with my Twitter account: not that I've anything to hide of course..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
