Two-factor authentication for twitter

Posted by:

admin 10 years, 12 months ago

After any high-profile account take-over there is always a call for two-factor authentication.  At the same time there are always people yelling that two-factor authentication won't stop a determined attacker.  The latest take-over was the APs Twitter account.   Queue articles stating that we need two-factor authentication for National Security! Queue this one on how attackers can get around two-factor thanks to other vulnerabilities.  How about some data?

First, let's start the DBIR , conveniently released this week by Verizon,  As stated in the DBIR:

If data could start a riot (“Occupy Passwords!”), we could use these statistics to overthrow single-factor passwords: the supreme ruler in the world of authentication. If we could collectively accept a suitable replacement, it would’ve forced about 80% of these attacks to adapt or die.

As I pointed out on Twitter, two-factor authentication may not stop *an attack*, but it sure reduces your total number of successful attacks. The Verizon team - and more importantly - their data - would seem to agree. (I would also argue that in the case of the AP attack, it would have stopped it as I think it was an opportunistic attack. There are a number of news outlets on Twitter to target and more may have been targeted.)

We have another data point from Google. They have stated that account hijacks are down 99.7% from their peak. They accomplished this by implementing two-factor authentication (voluntarily for their users) and by performing risk analysis on suspicious authentication. I would love to have more data from them. For example, how many 'high-value' or likely targets adopted two-factor authentication? Note that this drop occurred while a known vulnerability existed against their 2FA system.

Twitter is now an important service and if it wants to play with the big boys, it will need to implement account protections.  Twitter needs the APs and CNNs to be on Twitter and for them to be trusted.

They face some interesting issues around authorization, though. The big marketing brands and news agencies most likely have multiple users and some outsource their account entirely. One of our customers, Silverpop, faced just this issue. They solved it by implementing two-factor authentication along with a sophisticated authorization application that supports ad firms as well as direct customers. I expect that this type of system will be required by all sorts of services. Additionally, Twitter may have a harder time monitoring accounts for suspicious activity due to the large number of Twitter clients (none of which seem very good at just doing Twitter) and services such as Hootsuite that do their own authentication.

I disagree with the Verizon team that we need to collectively agree on a replacement.  The more concentrated the market share in one solution, the more risk.

• ← New Drupal two-factor module released - CMS authentication issues
• WiKID's two-factor authentication API →