Why Twitter’s two-factor authentication isn’t going to stop media organisations from being hacked

24 May

Twitter has announced the availability of two factor authentication (2FA) for its service, meaning that users can opt-in to something stronger than just a username and password to protect their accounts.

Twitter login code

In a blog post, Twitter explains how the new security measure works.

If you decide to turn 2FA on for your Twitter account, every time you try to log into the site you will be prompted to enter a six-digit code that Twitter sends to your phone via SMS.

Here is a video Twitter released, demonstrating the feature:


So, the big question is this… is this going to help media organisations such as The GuardianNPRthe Financial Times, and others who have found their Twitter accounts hijacked by the likes of the Syrian Electronic Army?

Sadly, I don’t think it’s going to help them at all.

Media organisations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts.

2FA isn’t going to help these companies, because they can’t all access the same phone at the same time.

Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to “own” the phone – and share the six-digit code with journalists as they try to log in to share breaking news stories.

Twitter verification

It’s a complex problem to fix, and for that reason many media organisations may choose not to enable Twitter’s additional security at this time.

Of course, *another* solution would be to have an intermediary service, acting as a proxy, to which journalists could post their Twitter updates (using appropriate authentication) and then have *that* service feed the official Twitter account.

If you take that approach, just ensure that you have proper security systems in place for that proxy service – to keep out hackers and mischief-makers.

Corporations with “shared accounts” on Twitter would be wise to keep their defences updated, educate their staff on security and best practice, and learn the lessons of how Twitter accounts have been hacked in the past.

If you do enable Twitter two-factor authentication, whether you are Joe Public or a multinational corporation, realise that the technology isn’t going to help if you have users who are easily phished.

Determined online criminals could use “man-in-the-middle” techniques to grab the six digit passcode alongside your password and username if they are determined.

So, even if you do turn on Twitter’s 2FA, you still need to double-check that when you enter your username and password, or your six digit code, that you are *really* on Twitter’s https website.

HTTPS on Twitter's website

Otherwise, the crooks can just use all three items to log in as you…

In time, Twitter will surely mature and offer appropriate security, and mechanisms which recognise how many corporate brands and news organisations are using Twitter today.

Maybe they will one day adopt a system like Facebook has, where multiple users can have access to an account – all with different levels of authority, all with different usernames and passwords.

Right now Twitter’s 2FA is more likely to be welcomed by individuals who own personal accounts, and small companies with a Twitter presence, than embraced by the high profile victims attacked by the Syrian Electronic Army in the past.

1 Comment

Posted by on May 24, 2013 in Uncategorized


One response to “Why Twitter’s two-factor authentication isn’t going to stop media organisations from being hacked

  1. todotunezcom

    May 27, 2013 at 9:27 pm

    Informative article, totally what I wanted to find.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: