Two-factor authentication for Twitter

by Laurie Anstis on May 24, 2013

A couple of months ago I wrote about the security of corporate Twitter accounts following the #hmvXFactorFiring incident.

This week, Twitter have announced an important new security feature – two-factor authentication, or “login verification” as they call it.

A full description of how this works is in their blog post here. If this feature is turned on by Twitter users, then a username and password alone will not be enough to log on to a Twitter account. Logging on from a new device or web browser will also require a six digit code, which is sent by text message to the user’s mobile phone.

This is an improvement on the security offered by a username and password, but there is a problem with using this for corporate accounts.

In many cases businesses and other organisations will have multiple Twitter accounts. It might be that there is one for press releases, and another for customer service, or it might be that there are series of accounts segmented across a number of possible customer groups (which is how it is done at my firm).

The difficulty is that any mobile phone can only be associated with one account at a time, so there can’t be one central phone that receives the codes for each account. This makes using two-factor authentication in a corporate environment very difficult.

It seems likely that in the future Twitter will put in place alternative methods of two-factor authentication, but for now this feature is going to be very difficult to implement across multiple corporate accounts.

Of course, if you are going to use this in a corporate environment, you will also need to be confident that you can maintain control of the phone which receives the login codes.