Twitter's new security feature: Good intention but a hassle
The difficulty in using Twitter's new login verification feature will likely make it useful only to actors, politicians, and other high-profile users willing to go through the hassle for tighter security.
Twitter, like Google and Facebook, is experimenting with multi-factor authentication as a back up to the traditional user name and password that most experts agree is no longer sufficient to protect user accounts. In its latest attempt to bolster security, Twitter has focused on the mobile phone as the keeper of the crown jewels for protection.
In general, Twitter has adopted a system called asymetric cryptography in which an iOS or Android device is used to generate a private and a public key. While the former stays in the phone, the latter is stored on a Twitter server.
Together, the keys keep track of clients trying to log into a Twitter account. If someone tries to log in from a Web browser, then a notification is sent to the phone, asking the user to OK the request for entry.
The architecture is not new, but Twitter's latest effort falls short of other such moves.
Too many gaps
"I've certainly seen better implementations,"said John Bradley, senior technical architect for Ping Identity and a contributor to open authentication standards. "What they have is not the worst multi-factor authentication in the world by any margin, but neither is it the best."
To use the new login verification, a person must always be signed into the Twitter app on the phone. Signing out will kick you out of the feature and you'll have to opt in all over again. In addition, users have to keep a back-up code safely tucked away, in case they need to sign in with a new phone replacing a lost or stolen one.
People who use a tablet will also have to remain signed in to avoid a hassle. Those who sign out won't be able to get back in without first signing into Twitter through a Web browser and generating a temporary password.
Staying logged in to avoid the inconvenience means someone would have immediate access to the Twitter account, if the mobile device is lost or stolen. While people can set up a password for unlocking a device, many users don't take advantage of that feature.
Michael Versace, an analyst for Gartner, questioned whether having the all-important private key in the phone—particularly an Android device—is more secure. The platform is the favorite target of cybercriminals and the number and sophistication of tools and malware for compromising Google's operating system is growing.
"When private keys are compromised, bad things can happen," Versace said.
Mobile risks increase
The number of malicious and high-risk Android apps rose to 718,000 in the second quarter of this year from 509,000 in the previous three months, according to Trend Micro's 2Q 2013 Security Roundup. The security vendor also found that cybercriminals are getting better at exploiting flaws in the Android platform, which accounts for the majority of mobile phones.
Besides cybercriminals, Twitter users also have to worry about security in backing up their phones' data to protect the key. Twitter recommends encrypting all data.
While experts agree that multi-factor authentication is much better than using only passwords, the former is confusing to most people. That's because websites each have their own unique implementations, making them difficult for users to remember. As a result, most are unlikely to opt in and will continue using only their user name and password, experts say.
"To catch on, (multi-factor authentication) has to be easier than a password," Bradley said. "To get broad adoption, it has to be faster, more fun and better in some way than what people are use to with passwords."
The security industry is taking steps to develop an open authentication system that all sites could use to replace the current fragmentation. One organization gaining traction is the Fast Identity Online (FIDO) Alliance.
The nonprofit organization is working on standards-based technology that would enable a website to authenticate a visitor through the connecting device. FIDO, which Google joined in April, expects to have production-ready specifications available by early next year.