

How to Enable Two-Factor Authentication on Twitter and Other Popular Sites - riledhel
https://www.eff.org/deeplinks/2013/05/howto-two-factor-authentication-twitter-and-around-web

======
lucian1900
I don't get why Apple and Twitter don't support TOTP. It makes their 2FA
useless for lots of people.

~~~
e1ven
Twitter already has a huge infrastructure for SMS, reusing it makes some sense
from an internal-logic standpoint..

For Apple's use-case, their users already have phones, and understanding TOTP
would make it harder. Push notifications are already pretty straight forward,
so building on top of that also makes sense.

For Google, for instance, I often use their SMS verification rather than going
to the authenticator anyway - It's faster, easier, and gets me logged in. It
still raises the barrier of entry versus just guessing my password.

~~~
lucian1900
I don't think they should remove SMS support, but that it's not sufficient on
its own.

At least for me, TOTP is much faster than SMS would be: request it, wait for
it to arrive - if I have good signal, get to it on my phone vs. open the
authenticator app and read one of the codes.

------
markild
Did not know that Facebook have support for two-factor authentication.

Appreciate that EFF is putting effort into awareness on this issue.

------
mipapage
Good stuff; FWIW, I've been playing with the Twilio (php) implementation and
so far it looks like we may use this for a certain client...

<http://www.twilio.com/docs/howto/two-factor-authentication>

------
captn3m0
Twitter doesn't allow me to ad 2fa because my carries (BSNL/India) isn't
supported. Facebook doesn't give me an option to add Login Approvals because
its not rolled out to everyone. I need 2fa, and I need it now!

------
edward
Disappointing that each provider uses a different name. Imagine if they each
had their own name for the password field. They should all just call it two-
factor authentication.

~~~
sp332
"Two-factor authentication" is too vague. Biometrics, smart cards, and one-
time pads could all be used as second factors.

------
Rezo
Great, now that my Twitters, Googles and Dropboxes are 2FA enabled, how about
a US bank follows suit? Pretty please? Ally, ING?

~~~
cheald
USAA offers sms-based 2fa. It's a bit clunky bit it's there.

------
otibom
I have a question about this. What happens if I lose my phone ? Do I lose
access to the account ?

~~~
captn3m0
I'm not aware of how other services handle this, but google hands you "Backup
Codes" that you can use when you don't have your phone. Google recommends to
keep them in your wallet, but I keep them safe on lastpass, which helps when
you are without both your phone and wallet.

------
joshbetz
WordPress.com also uses Google Authenticator to enable two factor auth.

------
shurcooL
Not using SMSs. Waiting until Google Authenticator or similar support.

------
peterwwillis
Phishing [and mitm] attacks are not mitigated by two-factor.

[http://www.digitaltrends.com/social-media/thanks-twitter-
but...](http://www.digitaltrends.com/social-media/thanks-twitter-but-heres-
everything-thats-wrong-with-your-two-factor-authentication-set-up/)

 _"So how can anyone hack Twitter with two-factor authentication in play? The
account info you’ve just entered will automatically be entered into the real
Twitter.com by the hacker. And seeing as how you’ve had your account info
entered into Twitter.com for you, Twitter’s two-factor authentication will
ping the victim with the SMS and temporary password as expected, Toopher (a
two-factor security service) CEO Josh Alexander explains.

At that point, since you’ve received an SMS from Twitter, you’re probably
under the assumption that the account recovery process seems legit and would
continue to enter in that temp password into the fake Twitter site. Of course
once that’s done you’ve lost complete control of your account."_

[http://www.theregister.co.uk/2007/04/19/phishing_evades_two-...](http://www.theregister.co.uk/2007/04/19/phishing_evades_two-
factor_authentication/)

 _"Hackers sent the customers emails falsely claiming to be from ABN Amro. If
recipients opened an attachment, software was installed on their machines
without their knowledge. When customers visited their banking site, the
software redirected them to a hacker-controlled mock site that requested their
security details.

As soon as the hackers received these details they were able to log into a
customer's account at the real ABN Amro site, before the expiry of the fob-
generated number. They could then transfer the customer's money."_ (they
didn't need to redirect the customer to intercept the credentials but it makes
it harder to detect)

~~~
mseebach
No, and it also doesn't solve global warming. But it's a huge step in the
right direction.

~~~
peterwwillis
It's not a huge step. Training users not to reuse passwords (or login IDs!)
would be a huge step. Not using easily found personal information for password
recovery would be a huge step. Implementing the second factor in a less feeble
way would be a huge step.

This is a small step. Like a padlock made of cardboard, this is the weakest
attempt they could make. They probably don't even use heuristics to determine
if your environment has changed so they can re-challenge you (now industry
standard among authentication solution providers).

Twitter added this feature because they've had too many high-profile hacking
stories in the media and nobody would keep investing in a company whose
security track record is a tabloid joke. This is a step towards keeping their
users and potential investors from running for the hills.

Here are some alternative methods to secure user credentials:

\- Bcrypt

\- Require the login ID to be separate from their email address or public
handle

\- Verify two-factor PINs via reply

\- Additional authorization methods for group accounts (no shared logins)

\- Open standards like TOTP

\- Physical tokens

\- Strengthen password recovery measures

~~~
cstejerean
In what way is bcrypt an alternative method when compared to two factor auth?
Also, from the point of view of the live MITM attack you mentioned above
physical tokens or TOTP wouldn't help either. What exactly are you proposing
they do?

~~~
peterwwillis
Err, you're right, bcrypt wouldn't help stolen passwords and a token wouldn't
help a mitm. TOTP would be useful if it were used in a separate channel, but
not in this case. I was just brainstorming ways to make authentication suck
less in general.

