Twitter's latest login security feature may be too complex for most users

The difficulty in using Twitter's new login verification feature will likely make it useful only to actors, politicians and other high-profile users willing to go through the hassle for tighter security.

Twitter, like Google and Facebook, is experimenting with multi-factor authentication as a back up to the traditional user name and password that most experts agree is no longer sufficient to protect user accounts. In its latest attempt to bolster security, Twitter has focused on the mobile phone as the keeper of the crown jewels for protection.

[See also: Following breaches, experts call for two-factor authentication on Twitter]

In general, Twitter has adopted a system called asymetric cryptography in which an iOS or Android device is used to generate a private and a public key. While the former stays in the phone, the latter is stored on a Twitter server.

Together, the keys keep track of clients trying to log into a Twitter account. If someone tries to log in from a Web browser, then a notification is sent to the phone, asking the user to OK the request for entry.

The architecture is not new, but Twitter's latest effort falls short of other such moves.

"I've certainly seen better implementations,"said John Bradley, senior technical architect for Ping Identity and a contributor to open authentication standards. "What they have is not the worst multi-factor authentication in the world by any margin, but neither is it the best."

To use the new login verification, a person must always be signed into the Twitter app on the phone. Signing out will kick you out of the feature and you'll have to opt in all over again. In addition, users have to keep a back-up code safely tucked away, in case they need to sign in with a new phone replacing a lost or stolen one.

People who use a tablet will also have to remain signed in to avoid a hassle. Those who sign out won't be able to get back in without first signing into Twitter through a Web browser and generating a temporary password.

Staying logged in to avoid the inconvenience means someone would have immediate access to the Twitter account, if the mobile device is lost or stolen. While people can set up a password for unlocking a device, many users don't take advantage of that feature.

Michael Versace, an analyst for Gartner, questioned whether having the all-important private key in the phone -- particularly an Android device -- is more secure. The platform is the favorite target of cybercriminals and the number and sophistication of tools and malware for compromising Google's operating system is growing.

"When private keys are compromised, bad things can happen," Versace said.

The number of malicious and high-risk Android apps rose to 718,000 in the second quarter of this year from 509,000 in the previous three months, according to Trend Micro's 2Q 2013 Security Roundup. The security vendor also found that cybercriminals are getting better at exploiting flaws in the Android platform, which accounts for the majority of mobile phones.

Besides cybercriminals, Twitter users also have to worry about security in backing up their phones' data to protect the key. Twitter recommends encrypting all data.

While experts agree that multi-factor authentication is much better than using only passwords, the former is confusing to most people. That's because websites each have their own unique implementations, making them difficult for users to remember. As a result, most are unlikely to opt in and will continue using only their user name and password, experts say.

"To catch on, (multi-factor authentication) has to be easier than a password," Bradley said. "To get broad adoption, it has to be faster, more fun and better in some way than what people are use to with passwords."

The security industry is taking steps to develop an open authentication system that all sites could use to replace the current fragmentation. One organization gaining traction is the Fast Identity Online (FIDO) Alliance.

The nonprofit organization is working on standards-based technology that would enable a website to authenticate a visitor through the connecting device. FIDO, which Google joined in April, expects to have production-ready specifications available by early next year.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGooglemulti-factorlogin verificationsoftwaretwitterdata protectionFacebook

More about FacebookGartnerGoogleTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts