Following the attack at the weekend, which saw 250,000 user details accessed, Twitter has announced plans to implement two-factor authentication as an option to help users better protect their accounts.
According to news site Ars Technica, a job listing posted by Twitter this week claimed the company is seeking software engineers to develop "user-facing security features, such as multi-factor authentication and fraudulent login detection".
Although Twitter has not commented on its plans, it currently uses the OAuth protocol via applications for authentication and secure socket layer (SSL) encryption to pass user credentials from web browsers and other Twitter clients.
In an email to SC Magazine, security researcher Robin Wood said that he welcomed the move, as two-factor authentication would add a lot of extra security.
“Celebrities, politicians and companies are regularly getting their Twitter accounts taken over, most of the time this is done by simple password guessing or finding a password on another system which is reused on Twitter,” he said.
“The second factor would remove both of these vulnerabilities as even if the attacker got the password they wouldn't have the second factor. It won't completely remove the ability for a determined attacker to get in but it will stop a large number of the attacks.”
Javvad Malik, senior analyst in the 451 Enterprise Security Group, said that it is the provider's responsibility to protect users.
He said: “The fundamental purpose of adding 2FA is to introduce a measure of randomness to an otherwise static password. So yes, it should protect against keyboard loggers or guessed passwords etc, but it all depends on what they do with the session once it's been established.
“It will only really be useful if you force users to sign in every time they want to use the application, possibly also sign them out after a certain period of inactivity. Judging by how people actually use Twitter, I think this will become an overly laborious process that would cause more problems in the long term.
“In my opinion, it's not a Twitter problem; it ties into the wider internet authentication problem we're witnessing. How do you securely but conveniently authenticate users and how do web developers securely design apps so their password databases can't be breached? OAuth type technology is pretty good but much like mobile phone apps, users don't really pay attention to what permissions that app is asking for, they just want to fling birds across the screen.”
With regard to the use of OAuth, Wood said that he was not sure how that would be affected by adding a second factor, as the way it works is for the user to authorise the app that then gets a token.
He said: “When the app wants to talk to Twitter it uses that token. You would need to be logged in to the main website to authorise the app in the first place, which is where the second factor would come in.”