Twitter’s new, two-factor authentication goes beyond SMS tokens
09 August, 2013
category: Digital ID
Following yet another string of high-profile account hacks, Twitter has ramped up its security with a new, app-based two-factor authentication option.
A detailed report from WIRED suggests that the new security measure can provides a comprehensive solution that eliminates the reliance on third parties or verification codes sent via SMS text messages.
The new security process seems simple enough, as a user enrolls via the mobile app, which then generates a 2048-bit RSA key pair. This private key resides exclusively on the phone, while the public key is uploaded to Twitter’s server.
On Twitter’s end, when the social networking site receives a new login request with a username and password, its server sends back to the user a test in the form of a 190-bit, 32-character random nonce, and a notification containing the time, location and browser info associated with the login request.
From here, the user can opt to approve or deny the login request. If approved, WIRED explains that the app replies with its private key and relays that information back to the server. The server compares that challenge with a request ID, and if authentic, the user is automatically logged in.
Put another way, sensitive data will still be stored with the user themselves, not in a database or server. So in theory, should another hack occur, those responsible could still access the server but would not be able to log in to specific accounts because they would not have the previously generated key exclusively stored on the user’s device.
This is certainly a step in the right direction for Twitter, but as the solution is still young, expect more measures to be added over time. One utility being considered would allow multiple people to access the same account – a valuable feature to Twitter’s oft-targeted news media clients. This idea would see these third party Twitter clients given the power to conduct authorization and login approvals without having to generate a temporary password.
For more, see Twitter’s official blog.