This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Twitter seeks 2FA engineers for stronger access

Share this article:
Twitter is latest media company to suffer cyber attack
Twitter is latest media company to suffer cyber attack

Following the attack at the weekend, which saw 250,000 user details accessed, Twitter has announced plans to implement two-factor authentication as an option to help users better protect their accounts.

According to news site Ars Technica, a job listing posted by Twitter this week claimed the company is seeking software engineers to develop "user-facing security features, such as multi-factor authentication and fraudulent login detection".

Although Twitter has not commented on its plans, it currently uses the OAuth protocol via applications for authentication and secure socket layer (SSL) encryption to pass user credentials from web browsers and other Twitter clients.

In an email to SC Magazine, security researcher Robin Wood said that he welcomed the move, as two-factor authentication would add a lot of extra security.

“Celebrities, politicians and companies are regularly getting their Twitter accounts taken over, most of the time this is done by simple password guessing or finding a password on another system which is reused on Twitter,” he said.

“The second factor would remove both of these vulnerabilities as even if the attacker got the password they wouldn't have the second factor. It won't completely remove the ability for a determined attacker to get in but it will stop a large number of the attacks.”

Javvad Malik, senior analyst in the 451 Enterprise Security Group, said that it is the provider's responsibility to protect users.

He said: “The fundamental purpose of adding 2FA is to introduce a measure of randomness to an otherwise static password. So yes, it should protect against keyboard loggers or guessed passwords etc, but it all depends on what they do with the session once it's been established.

“It will only really be useful if you force users to sign in every time they want to use the application, possibly also sign them out after a certain period of inactivity. Judging by how people actually use Twitter, I think this will become an overly laborious process that would cause more problems in the long term.

“In my opinion, it's not a Twitter problem; it ties into the wider internet authentication problem we're witnessing. How do you securely but conveniently authenticate users and how do web developers securely design apps so their password databases can't be breached? OAuth type technology is pretty good but much like mobile phone apps, users don't really pay attention to what permissions that app is asking for, they just want to fling birds across the screen.”

With regard to the use of OAuth, Wood said that he was not sure how that would be affected by adding a second factor, as the way it works is for the user to authorise the app that then gets a token.

He said: “When the app wants to talk to Twitter it uses that token. You would need to be logged in to the main website to authorise the app in the first place, which is where the second factor would come in.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

WordPress plugin flaw opens blogs up to cybercriminals

WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.

European Central Bank loses personal records after data breach

European Central Bank loses personal records after data ...

The European Central Bank admitted today that its website was hacked and said that some email addresses and other contact information was stolen.

34 European banks hit by Android app security attacks

34 European banks hit by Android app security ...

Banks need to put their heads together to develop common and more secure methodologies says Sarb Sembhi, STORM Guidance, following operation Emmental.