sweet FA then
Security-watchers don't appear overly impressed with Twitter's introduction of two-factor authentication (2FA) to its service. While some infosec experts welcomed the move, others argued that while it might help protect the accounts of individuals, it is ill-suited to the safeguarding of shared accounts of organisations - many …
Have that many corporate accounts been compromised or is that just the excuse when they are caught saying things that they regret.?
2FA only when changing login method
I thought most 2FAs came into action only when you log in via a non-recognised machine, basically you didn't have a cookie set. I didn't think it required the 2FA every time you login, that would be very irritating for something that is not top secret. So it's not really a problem for corporate accounts. Just requires the "phone owner" to pass on the 2FA when users are given their new corporate laptop/blackberry/etc. Not such a palaver afterall.
I'll be thick
When you tweet to regvulture you tweet to @regvulture
So now you become
at which point your staff become
Now you have differentiated the names you cam SMS them their different 6 digit second stage authentication numbers.
You wait for a bus and then 6 come along at once
The problem as I see it (as an ordinary plebeian user) is that more and more services are now jumping on the 2FA bandwagon. This isn't a problem in itself, and I got quite excited when Twitter announced the new option; gosh, maybe I could even use one of the 2 2FA devices I now possess. But noooo. It has to be SMS, so my phone becomes a key part of my Twitter experience and it now becomes important not to lose it or stray out of a signal area. No mention of fallback codes that I can keep in my wallet.
And of course, if I was a conspiracy theorist I'd say how uncomfortable I was with people I've never met being able to link my phone number with my Twitter account: not that I've anything to hide of course..