San Francisco – After a sophisticated attack hit Twitter’s users over the weekend, the micro-blogging firm is ramping up their efforts to implement a “two-factor authentication” option that would make it impossible for hackers or vandals to break into accounts – even if they acquired the passwords.
This rigorous decision follows Twitter’s Friday disclosure of a security breach affecting an estimated 250,000 of its 250 million users. Following the disruption, Twitter reset passwords for all affected users but said its related investigation – including identifying exactly what data attackers accessed – remains underway.
“This week, we discovered unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data,” said Bob Lord, Twitter’s director of information security, in a Friday blog post.
So far, however, it is not exactly evident as to what the attackers may have accessed. “We detected one live attack and were able to shut it down in process moments later,” Lord said. “However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”
The two-factor authentication (2FA), generically, is an approach to authentication that has multiple layers. Around the web, other companies have been gradually introducing multi-factor authentication in the past few years. These include Google, Facebook, Yahoo, Amazon Web Services, Dropbox, Blizzard’s Battle.Net, and Valve’s Steam.
Essentially, the two-factor authentication adds an extra layer of safety to any service, as well as effectively alerting the true owner when attempts are made to hijack the account. It is usually applied with a combination of a password and mobile alert.
So, when a new device/location ventures to log on to a Google account, which is also offered as an option for its Gmail email system, even when entering the correct password, unless accompanied by a short numerical code that is sent separately to the account owner’s mobile phone.
Thus, this way, an unauthorized user would not only have to obtain your password, but also your phone in order to access your account. It is simply another layer of security, and one that companies like Google say “drastically reduces” the chances of a bad guy getting their hands on your personal info.
In fact, people from all walks of life are appreciating the decision – Graham Cluley, senior technology consultant at the security company Sophos, said: “This is an excellent idea – I’m looking forward to it. It is something that we have wanted for some time. We have often said we would be prepared to pay for it – Twitter could monetize it by offering it to corporations and branded accounts. It would be pretty attractive.”
Another interesting thing discovered by The Guardian is a job posting on Twitter’s employment site, the micro-blogging hub is looking for a software engineer to fit in to its product security division.
The post is for a full-time software engineer in the specialized area of product security. One of the responsibilities for the new engineer will be to “design and develop user-facing security features, such as multi-factor authentication and fraudulent log-in detection.” The job listing also says that the new engineer’s work will “directly impact the security of hundreds of millions of Twitter users.”
However, as for any online service, Twitter accounts are exposed to being compromised and used for nefarious purposes – whether that be malicious spam messages or simply hijacking tweets in order to expose or embarrass.
Apparently, Twitter added SSL-the Secure Sockets Layer-connectivity to its website and third-party apps in August 2011, ensuring that users’ identity could not be captured via open Wi-Fi networks, for example. Also, it has stated that they have “certainly explored two-factor authentication,” but to date the company has made no public declarations of intent. While this job posting is far from conclusive evidence that Twitter now firmly plans to implement 2FA, it does suggest.