Skip to main content

It's Not Unhackable, But Twitter Makes a Start

This week Twitter introduced a new two-factor authentication process to verify account logins.  This comes on the back on some pretty big Twitter account hacks in recent months.  Now, whilst you can argue that it is not Twitter (or any other service providers) responsibility for you to keep your account details secure, they potentially do have a duty to some extent to make increased security an option if an end user does want to use it.

A typical end user isn't particularly interested in security.  Yes, they don't want hacking, yes, they don't want to have their bank details stolen, or their Facebook timeline polluted with nasties, but a typical end user won't actively take extra steps to avoid that from happening.





The concept of strong passwords is pretty much standard these days.  At least 8 characters, an uppercase letter, a number and / or a special character too.  End users have a list of passwords in their minds that fit the criteria.  Unfortunately these passwords are probably being recycled across every site that requires a 'complex' password, perhaps incrementing the number at the end every time it expires.

The use of secondary verification, become familiar for typical web users, when Facebook verification was introduced a year or two back.  If you login to Facebook from an unknown device or network location, you are asked to go through an additional set of verification steps.  This could include security question responses (knowledge based authentication), mobile verification or the most interesting in my mind, confirming you know the people in selected photos from your albums.  Again this is a form of KBA, but without the need to set up or remember arcane questions about your first pet or primary school.

To set up Twitter's additional verification isn't particularly complicated.  A couple of minutes setting up a phone to use as the registered verification device and a few test text messages and you're done.  Albeit the mobile anti-virus scanner on my phone flagged the responding text message from Twitter as 'suspicious' made me smile.

But will this extra step prevent hacks?  The simple answer is no, well yes in some cases, but maybe in others!  Basically there is no simple answer.  Of course it makes cold hacking a lot more difficult, due to having to break something someone knows (the password) alongside breaking the physical something someone has (the phone).  However, what happens if you lose your phone?  I for one do most of my tweeting from a smartphone as many others do to.  For a single end user that could pose an issue as both the Twitter client will undoubtedly have a cached password and obviously the physical phone is able to receive the text message for verification.

However, in corporate PR scenarios a large client may require a team of 3,4 or more executives managing the Twitter account.  Twitter is alive 24x7 and no one individual could manage that for a large consumer client.  This therefore results in multiple machines and potentially multiple clients.  Whilst those clients can be authorised, the security risk is spread as you have multiple access vectors for malware, accidental misuse, malicious misuse and so on.  So whilst Twitter has upped its game on the backend, end users still have a duty with regards managing who has access to the account in general and how those users are managed and vetted.

If nothing else, the introduction of an additional authentication factor increases the information security awareness for the typical end user and starts to make security a much more common step when using services and websites.  The important step next, for Twitter and others, is to make sure there is a larger security 'reward' for those who do engage in the extra steps.

By Simon Moffatt

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Online-ification: The Role of Identity

The Wikipedia entry for Digital Transformation, "refers to the changes associated with the application of digital technology in all aspects of human society".  That is a pretty broad statement.

An increased digital presence however, is being felt across all lines of both public and private sector initiatives, reaching everything from being able to pay your car tax on line, through to being able to order a taxi based on your current location.  This increased focus on the 'online-ification' of services and content, drives a need for a loosely coupled and strong view of an individual or thing based digital identity.