After Hijackings, Twitter Adds Two-Step Security Feature

Photo
The Syrian Electronic Army claimed responsibility for hacking The Financial Times, including its Twitter feed.Credit

4:41 p.m. | Updated with additional information about security vulnerabilities and new claims of patent infringement.

On Wednesday, Twitter introduced two-factor authentication, a security feature that makes it harder for hackers to hijack users’ accounts.

The rollout follows months of high-profile Twitter hijackings. Syrian hackers have hijacked Twitter accounts of more than a dozen prominent media outlets, from The Associated Press and The Financial Times to The Onion, a parody site, over the past few months. Those attacks — and other break-ins of Twitter accounts for Jeep and Burger King — showed the ease with which Twitter accounts could be cracked. They also elicited much criticism from security experts, who questioned why a company with more than a billion dollars in venture financing, and more than 200 million active users, did not offer two-factor authentication.

Two-factor authentication sends users a second, one-time log-in code by text message to make it harder for a hacker to crack into an account with just the main password. Microsoft, Apple, Facebook and Google all offer users two-factor authentication. In a blog post, Twitter said that it would begin offering the two-step authentication procedure, which is voluntary on the part of users, on Wednesday.

Two-step authentication is by no means foolproof. Twitter accounts for larger brands and news outlets are often managed by several employees, but only one employee would receive the log-in code. In those cases, other employees would only be able to access the account from their usual devices, or would need to get the one-time code from the administrator– a hassle that may discourage brands from using the security feature altogether.

“You can’t close all of the gaps with just one step,” said Mark Risher, a co-founder of Impermium, a security start-up focused on social media. “People may not turn this on because it’s a hassle.  And even when it is turned on, there are vulnerabilities.”

Even with two-factor authentication enabled, attackers could still hijack a user’s account by impersonating Twitter in what is known as a man-in-the-middle attack.

“It still raises the bar, and makes hacking into an account significantly harder,” said Mr. Risher.

A Twitter representative said the rollout was delayed because the company needed to update its SMS, or text message, architecture. To use the feature, users will need to update their account settings and register their mobile phone numbers, so Twitter can send them a one-time, six-digit code when they log in.

Within minutes of Twitter announcing two-step verification, there were already claims of patent infringement. Kim Dotcom, the Internet tycoon charged with pirating copyrighted material and money laundering, tweeted that he had patented the technology behind two factor authentication. “Google, Facebook, Twitter, Citibank, etc. offer two-step authentication,” Mr. Dotcom tweeted. “Massive IP infringement by U.S. companies. My innovation. My patent.”

Mr. Dotcom’s wasn’t alone in claiming infringement. Last month, after Microsoft began offering two-factor authentication, a Microsoft subsidiary, PhoneFactor, was sued by StrikeForce Technologies, which claimed its patents had been infringed. StrikeForce, an Edison, N.J., maker of authentication technology, claimed that it was the “sole patent holder for out-of-band authentication.” The company plans to expand its patent suit beyond Microsoft to other technology companies that now offer two-factor authentication, according to a StrikeForce investor.

A Twitter representative said the patent suit did not play a part in being slow to introduce the service.

In its blog post, Twitter said much of the work it did to offer two-factor authentication would allow it to offer additional security features. “Much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future,” Twitter wrote. “Stay tuned.”