

Thoughts on Twitter's new Two-Factor Authentication - cveigt
http://blog.authy.com/twitter

======
abalone
Not a tremendously compelling argument, and I think the company may come to
regret the know-it-all tone of the post. Hubris is not what you want in a
security platform company.

The author cites two "flaws":

1\. Your phone is offline sometimes.

Twitter has a backup code mechanism that covers this case. They talk about it,
right in the post.

2\. An attacker can send verification requests that look exactly like yours.

The sole use case for this mechanism is to verify login attempts by the
phone's owner in _real-time_. If a verification request comes in and you're
not actually trying to log into Twitter, or if you see more than one, you know
you're being attacked.

It's true if you share a login among multiple coworkers then you're vulnerable
to being tricked. But that's a bad practice to begin with, and this 2-factor
system is still a massive improvement in security even for that scenario.

~~~
jlmorton
While I agree that Twitter's mechanism addresses the vast majority of
potential attacks against a person's Twitter account (which would almost
always be remote), it's not hard to imagine a scenario like Authy describes.

Imagine you're at work, logging in to a two-factor system. Now imagine your
attacker is sitting 15 feet away from you. All the attacker needs to do is
wait for you to attempt to login to the system before attempting to login
himself.

When we have penetration tests run against us, this is exactly what is
happening. We give the penetration tester a desk, a connection to the internal
corporate network, and the same bare level of access we would give to a
temporary contract employee.

~~~
DaveMebs
And if you see multiple requests on your phone, you know it's an attack and
you should reject both. The criticism is basically "someone might see a bunch
of requests and, not knowing which is theirs, approve them all." If someone is
that foolish, you're already in trouble.

~~~
abalone
I agree except for the part about not caring about foolish users.

For me, it is more about asking yourself what approach will increase the
overall security of a system. User adoption is a critical consideration. That
is where Twitter's approach shines. It's something that is super easy to
adopt, no numbers to type in, which means literally millions more users may
adopt it. Authy is undervaluing that consideration.

Yes, this is vulnerable to a) foolish users who approve duplicate requests and
b) have an attacker looking over their shoulder.

Pretty good tradeoff IMHO.

------
dmix
Neither TOTP (Google Authenticator) or Twitter factor in how easy it is to
malware/root Android phones these days. I still prefer Yubikey or other
opensource cards until the state of mobile security improves (for ex
SEAndroid).

~~~
icebraining
But TOTP != Google Authenticator. The advantage of TOTP is that, as an open
standard, it can be implemented by anyone.

For example, here's an hardware token implementing the protocol:
[https://www.safenet-inc.com/products/data-protection/two-
fac...](https://www.safenet-inc.com/products/data-protection/two-factor-
authentication/etoken-pass/)

------
sbarre
My first experience with the new two-factor auth has been poor.

1\. I sign into Twitter with my browser

2\. My phone receives a push notification saying that I have a pending auth
request.

3\. So I click it and load the Twitter iOS app, and I see "You have no login
requests" for that account, no matter how much I refresh it (it has been 10
minutes now).

4\. Now I can't get into my Twitter account on the browser.

The urge to disable it is certainly strong..

~~~
WiseWeasel
Did you update to version 5.9 of Twitter for iOS, released 8/6, featuring
support for login verification? Maybe the notification should mention that
requirement.

~~~
dunham
Or don't send a notification to that deviceToken until the user has installed
the new version of the app and sync'd at least once. (Letting the server know
the deviceToken points at the newer version of the app.)

------
elliottcarlson
Would one possible solution be to show a random word on the screen and add
that as part of the authentication request? This would allow it to pair up
with what you currently see on the screen and keep it simple enough where IP
address or other technical details aren't required to be known.

~~~
tiziano88
I like this idea, it's similar to what modern tablet and phones use for
Bluetooth pairing: instead of asking to enter a number on the other device,
they just ask you to check whether they match up.

------
theg2
I know Twitter did this (primarily) in response to the AP hacking, but I fail
to see how this change is going to help organizations (say...news) with
multiple people sharing an account for business purposes.

We want to secure with 2 factor here in our offices, but it involves giving 10
people the app and possibly getting spammed every time someone logs in. I
realize they went for this approach rather than have your average user type in
numbers but I can't help but feel confused by this move.

~~~
snowwrestler
It is astounding to me how many companies who clearly want, welcome, and
benefit from organizational users, fail to provide admin experience that works
for organizations.

Why doesn't Twitter (and YouTube, also a terrible offender), simply allow
multiple accounts to manage a corporate channel? Like Facebook does with
Pages, or Google Analytics with profiles?

Instead we have to either share a single password among multiple people (not
secure) or use third party apps like HootSuite (and now your security totally
depends on that app, not Twitter).

------
kylelibra
For anyone who is interested in implementing two-factor authentication, Authy
(company behind blog post) is quite easy to use. I recommend it.

~~~
darkstar999
They suffer from the "click company logo after reading their blog and it takes
you to their blog" syndrome.

~~~
mechanical_fish
There appears to be a (badly titled) menu item that takes you to the company
site, but it's hidden beneath the "hamburger" icon, which inexplicably appears
even when the web page is full-screen on my laptop but is replaced by real
menus at _small_ screen sizes.

Puzzling.

------
bpicolo
Not sure why there are complaints about it only working when the phone is
online. Twitter will only work with a phone online anyway.

~~~
mpyne
It's possible to have computer Internet connectivity in an area with no cell
phone reception. I go to a place like that about once a year at least, or so.

~~~
dubcanada
Maybe they are trying to tell you to stop tweeting about it, put down your
phone and enjoy your vacation?

~~~
mpyne
I don't think they can be, as I don't have a Twitter account.

Certainly I would be pissed beyond belief if I tried to login to my bank
(assuming they ever pull their heads out of their asses to support 2FA) and
couldn't because I don't have cellular service in addition to Internet.

~~~
gamacodre
I already have this problem; both my bank and my credit union introduced 2FA
but only with SMS. Once enabled, any attempt to log in using a not-yet-
authorized browser or app is stalled until I get that text message. Presumably
a call to customer service would sort it out eventually, but that prospect
isn't terribly pleasant.

~~~
krrrh
Every time I have to call customer support to reset a bank password it makes
me realize how bad of a security hole most phone support is. Security through
two-factor authentication is only as strong as the process for bypassing it.

------
umsm
I have a bad feeling that one of these days we will lock ourselves out of our
own accounts...

------
zobzu
Mozilla Personna also uses pub/private key pairs, btw. And it seems just fine.

OTPs are great and all but in the end you keep the damn unhashed secret on all
machines that have to accept the OTP.

