This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Twitter seeks 2FA engineers for stronger access

Share this article:
Twitter is latest media company to suffer cyber attack
Twitter is latest media company to suffer cyber attack

Following the attack at the weekend, which saw 250,000 user details accessed, Twitter has announced plans to implement two-factor authentication as an option to help users better protect their accounts.

According to news site Ars Technica, a job listing posted by Twitter this week claimed the company is seeking software engineers to develop "user-facing security features, such as multi-factor authentication and fraudulent login detection".

Although Twitter has not commented on its plans, it currently uses the OAuth protocol via applications for authentication and secure socket layer (SSL) encryption to pass user credentials from web browsers and other Twitter clients.

In an email to SC Magazine, security researcher Robin Wood said that he welcomed the move, as two-factor authentication would add a lot of extra security.

“Celebrities, politicians and companies are regularly getting their Twitter accounts taken over, most of the time this is done by simple password guessing or finding a password on another system which is reused on Twitter,” he said.

“The second factor would remove both of these vulnerabilities as even if the attacker got the password they wouldn't have the second factor. It won't completely remove the ability for a determined attacker to get in but it will stop a large number of the attacks.”

Javvad Malik, senior analyst in the 451 Enterprise Security Group, said that it is the provider's responsibility to protect users.

He said: “The fundamental purpose of adding 2FA is to introduce a measure of randomness to an otherwise static password. So yes, it should protect against keyboard loggers or guessed passwords etc, but it all depends on what they do with the session once it's been established.

“It will only really be useful if you force users to sign in every time they want to use the application, possibly also sign them out after a certain period of inactivity. Judging by how people actually use Twitter, I think this will become an overly laborious process that would cause more problems in the long term.

“In my opinion, it's not a Twitter problem; it ties into the wider internet authentication problem we're witnessing. How do you securely but conveniently authenticate users and how do web developers securely design apps so their password databases can't be breached? OAuth type technology is pretty good but much like mobile phone apps, users don't really pay attention to what permissions that app is asking for, they just want to fling birds across the screen.”

With regard to the use of OAuth, Wood said that he was not sure how that would be affected by adding a second factor, as the way it works is for the user to authorise the app that then gets a token.

He said: “When the app wants to talk to Twitter it uses that token. You would need to be logged in to the main website to authorise the app in the first place, which is where the second factor would come in.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

New Trojan targets 'happy to help' customer service people

New Trojan targets 'happy to help' customer service ...

UK and European companies in industries including automotive, finance, energy and telecoms are being attacked by new Trojan malware called 'Carbon Grabber' that steals online banking password and other credentials.

Global regulator says cyber-attack could hurt financial markets

Global regulator says cyber-attack could hurt financial markets

Global market watchdog International Organisation of Securities Commissions (Iosco) has warned that the next major financial shock - or 'black swan event' - could come from a cyber-attack.

Sony hit by DDoS attackers who maybe trolls or Jihadists

Sony hit by DDoS attackers who maybe trolls ...

Microsoft and other online game providers also disrupted, while Sony president's plane is diverted by bomb hoax.