Following breaches, experts call for two-factor authentication on Twitter

Twitter should quickly join many other Internet companies such as Google in providing users with the option of two-factor authentication, experts say.

The call for changes in Twitter security followed news Wednesday of the compromise of the official account of Saudi Aramco, the national oil company of Saudi Arabia. Hackers replaced the company's logo with the picture of Heath Ledger's portrayal of "The Joker" in the 2008 Batman movie "The Dark Knight." In addition, a series of tweets were sent to the oil company's 46,000 followers, the security firm Sophos said.

"It is high time Twitter implement something to augment account security," said Chester Wisniewski, a senior security adviser for Sophos. "Two-factor authentication would be a great option for protecting high-profile brands, celebrities and those who simply want that extra layer of security for their online identity."

Twitter did not respond to a request for comment.

Twitter is behind other Internet companies in providing the option of requiring a second form of authentication when accessing the service from an unidentified device. Such security usually involves typing in a one-time passcode sent to a mobile phone.

Companies offering the added security include Facebook, Google, Dropbox, Microsoft, PayPal and Yahoo. Recently, Evernote said it would rush plans for two-factor authentication, after a breach forced the site to reset 50 million user passwords.

Twitter has also suffered major compromises. Last month, "extremely sophisticated" hackers breached the microblogging site's servers and stole the user names and encrypted/salted versions of passwords for 250,000 users, the company reported.

[Also see: Cyberattacks, data breaches scare off investors, study says]

Following the break in, Bob Lord, director of information security at Twitter, advised users that they should be using strong passwords of at least 10 characters as part of what the site called "good password hygiene."

"Password hygiene, really?" said Rick Holland, an analyst for Forrester Research. "They didn't even comment on two-factor authentication. Twitter users expect more out of Twitter."

While two-factor authentication is not a silver bullet, it is a necessary step toward better security, Holland said. "I have to think that Twitter is working on rolling this out and want to ensure that the solution they deploy is scalable and secure."

Indeed, Twitter recently had a full-time job posting for a software engineer with experience in designing and developing "user-facing security features, such as multifactor authentication and fraudulent login detection."

Two-factor authentication is not easy to implement. Security firm Duo Security reported last month a serious flaw in Google's two-step login process. The problem, which was fixed, stemmed from Google applying the feature across its many services. Such a broad undertaking is bound to have flaws.

"Coming up with a single, infrastructure-wide single sign-on platform is not a trivial task," Jon Oberheide, co-founder and chief technology officer for Duo Security, said at the time.

Companies using social media should consider products and services available to monitor content for malicious activity, said Gartner analyst Andrew Walls. In addition, companies need to manage account access and activity, and have a plan for responding to a breach that includes the IT and legal staff, security pros, marketing and public relations.

"A robust authentication mechanism is one piece of the social media security puzzle," Walls said. "Organizations should not expect public, consumer-oriented social media platforms to provide comprehensive social media security and risk management for enterprise users."

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags two-factor authenticationIdentity & Access | Access ControlNetworkingSaudi Aramcotwitteraccess controlIdentity & AccessFacebooksophosmanagementGooglesecurityAccess control and authentication

More about Andrew Corporation (Australia)DropboxEvernoteFacebookForrester ResearchGartnerGoogleMicrosoftPayPalSophosYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts