In case you hadn’t seen the news, Twitter login verification was announced yesterday. While I certainly don’t want to praise Twitter for implementing second-factor authentication login long after they knew a problem existed, it does remain a solid step in the right direction.
This should help lower the instances of account high jacking; however, more advanced methods of phishing, possibly involving malware, can still thwart this simple SMS-based method. We have first-hand knowledge from the financial industry that the SMS channel is compromised.
The hindrance to user adoption will be the average user desires the least amount of friction between themselves and the Twitter interface. And while not all accounts are created equal the SMS-based approach will suffice for a large portion of the user population.
There are methods, available today, to enact a great level of identity assurance via mobile devices.
Hopefully Twitter will continue investing in user authentication methods that provide greater levels of identity assurance for more prominent, higher-risk accounts. Even some simple, transparent methods may be enabled to help provide increasingly better security for users. These transparent methods are designed to limit user frustration and login friction.
A potential negative side effect of this SMS-based approach? Mobile malware targeting the SMS channel will likely increase faster than at the current pace, further capitalizing on the casual nature of the social channel. This will only further the need to provide the Associated Press and the like with higher assurance options.
Caveats aside, we strongly encourage everyone to enable Twitter’s login verification. Just because you don’t think you are a target doesn’t mean you shouldn’t take steps to properly secure your identities. Providing your username, password and an SMS-based verification code isn’t that hard or takes much time.
If you prefer to stay here for instructions see below.
UPDATE: In light of Twitter’s implementation of weak second-factor authentication, which they call “login verification,” it has come to my attention that the entity behind the rash of account takeovers on high-profile Twitter accounts is already in the process of updating their phishing pages to ask for the newly implemented “login verification.” This is not surprising and is another example of malicious groups’ ability to quickly adapt, even in light of new defensive measures. (05/23/2013 11:40 am CST)