
Twitter said to be testing two-step security in wake of AP hack - greyman
http://crave.cnet.co.uk/software/twitter-said-to-be-testing-two-step-security-in-wake-of-ap-hack-50011027/
======
citricsquid
A few years ago there was a strange byline on a few tweets from @spam, it said
"by {username}" indicating that there was some sort of system allowing
specific users to send tweets from a different account, here is a screenshot
from January 2010: <http://i.imgur.com/o0iVS.png>

Does anyone have any insight on why Twitter haven't implemented that sort of
system (nominated accounts able to tweet from a corporate account) and
seemingly abandoned the idea in 2010? One of our Twitter accounts has ~30,000
followers and we have to share the password amongst the company in a
spreadsheet, that sort of poor security is encouraged by a single login model,
with all the previous high profile account compromises it seems strange
Twitter hasn't addressed this before. Maybe someone knows why, or can
speculate why?

~~~
smackfu
Depends... Which is a worse attack vector: a single account with a shared
password, or a shared account where each person has their own personal account
password?

Twitter really needs shared accounts + required two-factor for the personal
accounts.

~~~
benmccann
At the very least it's better for auditing. If one of your employee's accounts
is hacked to send a fake tweet you immediately know which one instead of
potentially having no way to know.

------
tedchs
Two factor authentication is a funny thing in 2013.

All computer users understand passwords (and the basics of password
complexity/secrecy) at this point. That covers the "something you know"
factor.

Many users conceptually understand a "something you have/are" factor in the
form of biometric scans or smartcards. Unfortunately, those approaches are not
practical to deploy outside a controlled enterprise setting.

On the Web, the only approach that isn't a non-starter today is TOTP, what
Google Authenticator uses. Unfortunately, basically zero users understand
this, creating a large education issue, and frankly it's a pain in the neck
for users ("why do I need to go find my phone to log in??"). The upside is
it's easy for Web app developers to integrate TOTP, and it adds significantly
to account security if used correctly.

Facebook and Google have offered this as an option for quite some time, and
with Twitter's current prominence as part of corporate advertising, I am
surprised they are this late to the party.

~~~
apaprocki
> Unfortunately, those approaches are not practical to deploy outside a
> controlled enterprise setting.

In what way? Bloomberg uses custom hardware developed in-house (the "B-unit")
for four-factor authentication (password, biometric, visual sync, token).
These devices are sent to customers all over the world where there is no
control over them. All of the device and biometric enrollment is done through
the software remotely when the device is received by the end user. So in my
experience it is definitely possible to do this outside of the typical
employee/enterprise scenario.

~~~
EvanAnderson
Background on the B-Unit:
<http://www.bloomberg.com/bunit/Overview_Features.pdf>

Definitely an interesting device.

------
marcuspovey
Any service that acts as an oauth provider but which doesn't use 2 factor is
being grossly negligent, and should be avoided.

------
chops
Two-step authentication, especially for something as prominent as twitter, is
always a good thing. So, kudos to them.

~~~
jug6ernaut
> kudos to them.

Kudos for being horribly late and reactive instead of proactive?

This should have been implemented long long ago imo. Though i do give them
more slack than with all of our banking institutions that still don't offer
two-factor. But these recent events show how importing two-factor(or security
in general) for even things like social media are.

------
herge
I am surprised that Twitter has not used features for bigger customers like
this as a monitizing strategy. When they used to have a user cap, they could
have just charged companies or people to go over that cap. Same thing here,
charge for two factor authentication. Maybe even charge for verified accounts.

------
awold
Imagine logging in to services only using Google Glass. When prompted to log
in, a temporary passcode pops up on Glass. I think it would make two-factor
authentication much more streamlined and unobtrusive compared to having your
phone beside you and opening an app just to log in.

------
InclinedPlane
Good news! Your service is now so popular, well liked, and extensively used
that important organizations use it and trust it.

Bad news: Now you have to go the extra mile to make sure it isn't misused.

I think this still falls into the category of problems that it's good to have,
barely.

------
shaydoc
I had thought that they would most definitely be thinking of 2 factor
authentication.

Couldn't they even achieve this quickly using Twilio to send SMS token codes
to users who opt to have 2 factor auth?

------
fnordfnordfnord
Maybe accounts for clients like the AP need not a two-factor system, but
perhaps messages should only originate from a whitelisted set of IP addresses.

~~~
justin
This isn't really a good solution for mobile phones which change IP address
frequently.

~~~
fnordfnordfnord
Of course it isn't. But I can't imagine why the AP would want anyone to send
tweets on their behalf from a mobile phone.

Maybe there isn't a single solution that meets the needs of every user.

~~~
xxpor
>But I can't imagine why the AP would want anyone to send tweets on their
behalf from a mobile phone.

Reporters in the field? Especially in a breaking news situation where they
want to be first.

~~~
fnordfnordfnord
Are you suggesting that there may be many AP reporters who are authorized to
tweet on AP's behalf from the field, implying a total lack of editorial
control (and probably a total lack of coordination as well)? I think that is
very unlikely. I'd find it very hard to believe that there isn't a very well
defined system in place to control all official correspondence.

They have a news desk that is staffed 24hrs per day. Surely a person there
could monitor tweets or communications from reporters in the field. I'd even
expect there to be a different individual with the keys to the Twittermachine.

------
uses
Make it a publicly visible badge so we know how serious account holders are
about their security.

------
zokier
I just hope they will use the same _standard_ mechanism that Google and now MS
use.

