Hands-on: Twitter's new two-factor authentication sounds cool, but we can't get it to work

The encryption behind Twitter's new in-app security scheme sounds wonderful! Now, if only it worked...

On Wednesday, Twitter unveiled a new two-factor authentication method for Android and iOS that allows you to authorize login requests to your Twitter account with just one tap, banishing the usual method of manually inputting security codes generated via an app or sent via text method. Just open up the Twitter app on your smartphone or tablet, authorize the login with one finger press, and you're done.

Sounds great, right? There's only one problem: It simply didn't work in my tests, or my editor's--and Twitter's two-factor failure doesn't appear to be limited to our experience, either.

Nevertheless, even while Twitter works out the kinks for its (admittedly cool) two-factor authentication system, the new security measure is still worth setting up right now. Read on and we'll explain why.

How to get started

You can only have two-factor authentication set-up on one smartphone or tablet, so you have to decide which of your devices you have around with you most often. For most of us, this will be our smartphone.

To set-up Twitter two-factor authentication, click on the "Me" tab (the advanced primate icon in the top right corner) to view your Twitter profile. Next, tap on the settings cog below your tweet count and then tap "Settings."

For iPhone users, you simply have to tap the "Security" option next, but Android users first have to tap their username at the top of the Settings page and then tap "Security" at the bottom of the next page. After that, both iOS and Android users should now see the security page with one option available called "Login verification" and a check box next to it.

Tap the box and a warning dialog will pop-up telling you that if you enable login verification, you will need your phone to sign-in to Twitter. If that doesn't bother you--and it shouldn't since you wanted to set-up two-factor authentication in the first place--tap "OK."

Here's where the first issue popped up. Despite repeated attempts to activate Twitter's new security feature, my editor simply couldn't get the new-look two-factor authentication to stick. The app tossed up repeated error messages, as seen at right.

But if you do manage to get through, the Twitter application will now take a few minutes to generate a pair of security encryption keys for two-factor authentication. When that's done, the next thing you'll see will be a page with a 12-character code. Write down that code in a secure place, or ideally, plop it in a password manager like LastPass. This code is a one-time backup code you can use in case you have to login to Twitter without your phone present or Twitter's one-tap authentication method isn't working.

After you've got your backup code stashed away, you're done and your Twitter account is now more secure than it was.

From the Twitter app with two-factor authentication activated, you can use the "Security" page to see or generate new backup codes as well as view and approve all login requests for your account.

That's the theory anyway. Here's how it worked for us in practice.

Authorizing logins

The next time you try to login to your Twitter account from another device, an alert will be sent to your phone asking you to authorize the login.

On Android, tap the alert in the notifications area to open the Twitter app and go directly to the login requests page. What you should see next is a request to authorize the login with a single tap--there are no codes to enter. The request includes a myriad of information, including time, location, and browser type, so you can be sure that the request is coming from you.

That's what you should  see, but as we mentioned before, in our tests Twitter's two-factor authentication mechanism wasn't working. Every time we opened the Twitter app on a Nexus 4 to approve a login, the app repeatedly said we didn't have any login requests. Quick fix methods such as stopping the application and rebooting the phone didn't help solve the issue either.

Luckily, you can login using the one-time back-up codes--even though that defeats the purpose of using Twitter's one-tap authentication method in the first place.

It's not clear why two-factor authentication didn't work during our tests, but we've dropped a note to Twitter to see if they can help us solve the problem.

Even though Twitter's primary authentication method doesn't work, the backup codes still let you use the Twitter app for two-factor authentication while the company works the bugs out of its system. Another option is to continue using (or sign-up for) Twitter's SMS-based authentication method.

We weren't the only ones experiencing problems with Twitter's authentication method, either. A number of Twitter users were also complaining of the issue, and Android Police saw the same issues that we did.

Also note that many third-party applications aren't set-up to work with Twitter's new two-factor method yet. In those cases, you will be redirected to your Twitter account on the Web where you can generate an application-specific password.

Behind the scenes

Crypto-geeks will want to take a look at Twitter's blog post explaining the technical details behind its new authentication scheme. Similar to other two-factor authentication methods, Twitter's approach relies on something you know (your password) and something you have (an app on your phone).

In some cases, such as Google's two-factor authentication method, the second authentication factor (the app on your phone) relies on a counter and a secret shared between your phone and the service. The problem with that approach, Twitter says, is that if the server is compromised then hackers will know the shared secret and be able to break-in to your account.

SMS login codes aren't as secure either since they too can be hacked by malicious actors, as security researchers noted when Twitter rolled out its SMS two-factor approach in May.

The advantage of the shared secret approach, however, is that it's comparatively simple to use and maintain. Twitter's new approach is far more complex--but we'll leave all the nitty-gritty details to Twitter's blog post. Let's just say it involves 2048-bit RSA public-private key pairs and 190-bit, one-time use codes dubbed "nonces," and leave it at that. The animated GIF above gets the rough gist across.

It sounds good on paper!

Twitter's approach sounds like a very cool approach to security authorization, but we have to wonder if the complexity of sending all those 190-bit nonces back and forth could have used a little more beta testing before it went live. Whatever the technical problems are, hopefully we'll be able to use the new system soon.

Regardless, even using the dreary 16-character backup codes for now is better than the alternative of having no two-factor authentication at all (though my editor's sticking to SMS notifications). Who knows? Maybe you'll have better luck with Twitter's new security measures than we did.

PCWorld's Brad Chacos contributed to this report.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessecuritytwittersocial networkssocial mediainternet

More about GoogleRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place