A few years ago there was a strange byline on a few tweets from @spam, it said "by {username}" indicating that there was some sort of system allowing specific users to send tweets from a different account, here is a screenshot from January 2010: http://i.imgur.com/o0iVS.png
Does anyone have any insight on why Twitter haven't implemented that sort of system (nominated accounts able to tweet from a corporate account) and seemingly abandoned the idea in 2010? One of our Twitter accounts has ~30,000 followers and we have to share the password amongst the company in a spreadsheet, that sort of poor security is encouraged by a single login model, with all the previous high profile account compromises it seems strange Twitter hasn't addressed this before. Maybe someone knows why, or can speculate why?
Is that at all mitigated by tools like HootSuite or other corporate Twitter clients that allow multiple people to manage an account?
I'm not saying that it's acceptable that Twitter leaves that in the hands of vendors/users, I'm genuinely curious and wondering why the idea was parked in the first place.
I'd guess that it is part of a future offering from Twitter, but who knows.
This is the "Contributors" feature, which has been tested internally and with a few partners, but has never been widely enabled. It's in the public API, but still disabled for all but internal accounts and those few partners.
https://dev.twitter.com/docs/api/1/get/users/contributors
I don't have any current insight into the status of Contributors, and won't speculate, but the feature has been stagnant for almost 3 years now (just like Lists).
Depends... Which is a worse attack vector: a single account with a shared password, or a shared account where each person has their own personal account password?
Twitter really needs shared accounts + required two-factor for the personal accounts.
At the very least it's better for auditing. If one of your employee's accounts is hacked to send a fake tweet you immediately know which one instead of potentially having no way to know.
Two factor authentication is a funny thing in 2013.
All computer users understand passwords (and the basics of password complexity/secrecy) at this point. That covers the "something you know" factor.
Many users conceptually understand a "something you have/are" factor in the form of biometric scans or smartcards. Unfortunately, those approaches are not practical to deploy outside a controlled enterprise setting.
On the Web, the only approach that isn't a non-starter today is TOTP, what Google Authenticator uses. Unfortunately, basically zero users understand this, creating a large education issue, and frankly it's a pain in the neck for users ("why do I need to go find my phone to log in??"). The upside is it's easy for Web app developers to integrate TOTP, and it adds significantly to account security if used correctly.
Facebook and Google have offered this as an option for quite some time, and with Twitter's current prominence as part of corporate advertising, I am surprised they are this late to the party.
I really, really wish you were right when you said "All computer users understand passwords [...]". I frequently end up doing a lot of support stuff for my father, and he's not really that old.
His line of work has him dealing with some pretty sensitive material, and a two-factor authentication is required for it... something that, when introduced, was a source for many calls and angry shouting. I could have deferred this to their tech people, but I'd much rather spare them the anguish. ;)
Bottom line: It's getting better, but you are still, unfortunately for us all, way too optimistic.
> Unfortunately, those approaches are not practical to deploy outside a controlled enterprise setting.
In what way? Bloomberg uses custom hardware developed in-house (the "B-unit") for four-factor authentication (password, biometric, visual sync, token). These devices are sent to customers all over the world where there is no control over them. All of the device and biometric enrollment is done through the software remotely when the device is received by the end user. So in my experience it is definitely possible to do this outside of the typical employee/enterprise scenario.
How are smartcards not practical outside of a controlled enterprise? The biggest issue I see is that most people do not have smartcard readers, but that could be fixed pretty quickly.
In finland there was an serious attempt to use smart cards for general populace. It didn't pan out mostly because nobody had card readers and it had to compete with OTP based solutions which didn't require extra hardware.
Kudos for being horribly late and reactive instead of proactive?
This should have been implemented long long ago imo. Though i do give them more slack than with all of our banking institutions that still don't offer two-factor. But these recent events show how importing two-factor(or security in general) for even things like social media are.
I am surprised that Twitter has not used features for bigger customers like this as a monitizing strategy. When they used to have a user cap, they could have just charged companies or people to go over that cap. Same thing here, charge for two factor authentication. Maybe even charge for verified accounts.
Imagine logging in to services only using Google Glass. When prompted to log in, a temporary passcode pops up on Glass. I think it would make two-factor authentication much more streamlined and unobtrusive compared to having your phone beside you and opening an app just to log in.
Maybe accounts for clients like the AP need not a two-factor system, but perhaps messages should only originate from a whitelisted set of IP addresses.
Are you suggesting that there may be many AP reporters who are authorized to tweet on AP's behalf from the field, implying a total lack of editorial control (and probably a total lack of coordination as well)? I think that is very unlikely. I'd find it very hard to believe that there isn't a very well defined system in place to control all official correspondence.
They have a news desk that is staffed 24hrs per day. Surely a person there could monitor tweets or communications from reporters in the field. I'd even expect there to be a different individual with the keys to the Twittermachine.
Does anyone have any insight on why Twitter haven't implemented that sort of system (nominated accounts able to tweet from a corporate account) and seemingly abandoned the idea in 2010? One of our Twitter accounts has ~30,000 followers and we have to share the password amongst the company in a spreadsheet, that sort of poor security is encouraged by a single login model, with all the previous high profile account compromises it seems strange Twitter hasn't addressed this before. Maybe someone knows why, or can speculate why?