This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Twitter seeks 2FA engineers for stronger access

Share this article:
Twitter is latest media company to suffer cyber attack
Twitter is latest media company to suffer cyber attack

Following the attack at the weekend, which saw 250,000 user details accessed, Twitter has announced plans to implement two-factor authentication as an option to help users better protect their accounts.

According to news site Ars Technica, a job listing posted by Twitter this week claimed the company is seeking software engineers to develop "user-facing security features, such as multi-factor authentication and fraudulent login detection".

Although Twitter has not commented on its plans, it currently uses the OAuth protocol via applications for authentication and secure socket layer (SSL) encryption to pass user credentials from web browsers and other Twitter clients.

In an email to SC Magazine, security researcher Robin Wood said that he welcomed the move, as two-factor authentication would add a lot of extra security.

“Celebrities, politicians and companies are regularly getting their Twitter accounts taken over, most of the time this is done by simple password guessing or finding a password on another system which is reused on Twitter,” he said.

“The second factor would remove both of these vulnerabilities as even if the attacker got the password they wouldn't have the second factor. It won't completely remove the ability for a determined attacker to get in but it will stop a large number of the attacks.”

Javvad Malik, senior analyst in the 451 Enterprise Security Group, said that it is the provider's responsibility to protect users.

He said: “The fundamental purpose of adding 2FA is to introduce a measure of randomness to an otherwise static password. So yes, it should protect against keyboard loggers or guessed passwords etc, but it all depends on what they do with the session once it's been established.

“It will only really be useful if you force users to sign in every time they want to use the application, possibly also sign them out after a certain period of inactivity. Judging by how people actually use Twitter, I think this will become an overly laborious process that would cause more problems in the long term.

“In my opinion, it's not a Twitter problem; it ties into the wider internet authentication problem we're witnessing. How do you securely but conveniently authenticate users and how do web developers securely design apps so their password databases can't be breached? OAuth type technology is pretty good but much like mobile phone apps, users don't really pay attention to what permissions that app is asking for, they just want to fling birds across the screen.”

With regard to the use of OAuth, Wood said that he was not sure how that would be affected by adding a second factor, as the way it works is for the user to authorise the app that then gets a token.

He said: “When the app wants to talk to Twitter it uses that token. You would need to be logged in to the main website to authorise the app in the first place, which is where the second factor would come in.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...