After scores of accounts were potentially compromised a few months ago, Twitter today launched two-factor authentication through SMS to protect people from hacks and phishing scams on the web. Unfortunately, it may not help shared accounts like big brands and news agencies where multiple people need to be able to log in and out but only one phone number can get the login verification codes.
Following the Twitter security incident in February where hundreds of thousands of accounts had to have their credentials reset, the tech world demanded Twitter offer two-factor authentication. Wired’s Mat Honan reported last month that Twitter was internally testing the feature. But since then, several prominent accounts including the Associated Press had been hacked through phishing tricks that the security feature could have prevented. With two-factor authentication now in place, we’ll hopefully see fewer compromised individual accounts.
However the brands and news outlets whose accounts are the most valuable to hackers may not benefit from the feature. They can only set one phone number as the recipient of the two-factor authentication codes, but may have several staff members who need to access the account. If they enabled it, whoever carried the phone registered with Twitter would have to relay the code to all the other staffers to get it to whoever needed it. That hassle might prevent shared accounts from turning on login verifications, and so the hackings may continue.
Hopefully the fact that Twitter labeled its security blog post “Getting Started With Login Verification” means more advancements are on the way that might protect shared accounts. Twitter’s product security team member Jim O’Leary writes “much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned.”
HOW TWITTER TWO-FACTOR WORKS
The feature is rolling out now. If you don’t see it in your account settings, you should soon. To enable two-factor authentication, check the box next to Account Security that explains “Require a verification code when I sign in.” You’ll need to enter your phone number if you haven’t already saved it with Twitter. Once you receive a confirmation SMS on your phone you can complete activation of the security feature.
From then on when you enter your name and password to log in on Twitter.com, you’ll get a text message with a verification code you need to enter to prove you’re the account owner. The idea is that if someone steals your name and password, they probably don’t have your phone, too, and they need both to login as you. Twitter’s “login verification” doesn’t work with its mobile apps, though, so you’ll need to use temporary app passwords to stay safe when logging in on your small screen.