Twitter Fails To Impress With Two-Factor Authentication Launch

Micro-blogging giant Twitter has launched two-factor authentication, after a string of attacks saw high-profile user accounts compromised, but security experts still aren’t convinced by its efforts.

with impeccable timing, Megaupload creator Kim Dotcom tossed in a claim that he invented 2FA, including a link to a patent application.

In recent weeks, a host of media organisations have seen their Twitter accounts hacked by the Syrian Electronic Army, which is allegedly part-sponsored by the regime of President Bashar al-Assad. The FT, the Daily Telegraph, the BBC and Al-Jazeera were amongst the group of news providers who had their accounts compromised.

Finally, two-factor authentication

Pressure has mounted on the social media firm to improve its security. Now Twitter has introduced a very basic version of two-factor authentication, allowing users to log in with a password and a code sent to their mobile via SMS.

“This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers),” said Jim O’Leary, from the Twitter product security team, in a blog post.

“However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned.”

But as many have noted, the SMS method is not hugely secure when compared to others. Prevalent mobile spyware is known to siphon off text messages. Perkele, which TechWeekEurope recently saw selling for thousands on the Web’s dark markets, is one such piece of kit. Indeed, its main aim is to forward on text messages to the crooks running the Perkele operation.

Microsoft and others, including various banks, offer an authenticator app that receives a code over a separate protocol, which is in theory a more secure method. Google offers both.

Security experts, including F-Secure’s Sean Sullivan, have voiced their concern, asking Twitter why it hasn’t gone further.

“To me, SMS is too ‘public’. And it’s limited to one device. It’s good to have for folks who don’t use smart phones – but given the accounts that are being hacked – that isn’t really the use case,” Sullivan told TechWeekEurope. “SMS is a cheap and dirty way to implement two-factor – Twitter can (and should) do better.”

And, as Twitter admitted, it hasn’t signed deals with all mobile carriers, meaning many won’t be able to take advantage of the two-factor authentication anyway.

When your reporter set up Twitter two-factor authentication today, it was clear the firm had signed deals with a handful of operators, but not EE, currently the only 4G operator in the UK. Orange, which is owned by EE, is included, as are Vodafone, O2, Three, Lycamobile and Sure from Cable & Wireless.

After assuming the Orange option would cover EE and T-Mobile users, your reporter, an EE customer, gave Twitter his mobile details, logged out, tried to log back in, but had not received any code, despite numerous attempts.

Your reporter was still able to access Twitter, thanks to Tweetdeck, which kept him logged in, even though login details have changed. Two-factor login did work with another reporter’s account, using Three’s network.

Kim Dotcom: I invented 2FA

Meanwhile, Kim Dotcom, the man behind Megaupload, for which he is now a wanted man in the US, has claimed he invented two-factor authentication. In a tweet, he linked to a patent application, entitled ‘Method for authorizing in data transmission systems’, signed off by Kim Schmitz – his real name.

Indeed, the application, filed in 1998 and published in 2000, does detail a system where a separate transaction authorisation number (TAN) is selected.

But Dotcom didn’t get a wholly positive response to his tweet, with users noting how patenting such a thing rather than delivering it to the open source community would appear to go against his morals.

Others simply denied that he invented it, with one pointing to another patent from Per Johan Falk and Rutger Erik Bjoern Jonsson, filed in 1995, covering a method “providing an authentication unit which is separate from pre-existing systems”.

Another from Nokia employees from 1997 appeared to show another kind of 2FA. So it seems Dotcom only “invented” a kind of 2FA after others had officially pioneered the idea.

UPDATE: Whilst Twitter support didn’t provide much help, and there is little advice on two-factor auth online, it appears texting STOP to 86444 in the UK kills two-factor. Your reporter did not receive any confirmation from Twitter when  sending GO to that number to set up the mobile functionality in the first place, nor was there a response on texting STOP.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • Two-factor authentication by SMS to mobile phone was invented and used for our CATERMAN internet-based system in the late 1980's, and freely described and implemented. As far as I know there was no prior art or patent. These facts can be checked via the internet. If there are any patent trolls out there who want to pursue this, first check your facts then get in touch with us.

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

20 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

21 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

21 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

22 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

22 hours ago