Skip to main content

Why we’re cautiously optimistic about Twitter’s new authentication system

twitter has introduced a new authentication system and were cautiously optimistic about it heres why two step

As much as we’ve ragged on Twitter’s inept security strategy, we have to hand it to Twitter this time around. As terrible as Twitter’s first attempt at two-factor authentication was, this second go at a security upgrade is a huge improvement – here’s why.

Out with the old, in with the new

How is the new version any different from the old? In many ways the latest two-factor authentication system is far more secure (although that doesn’t mean it’s fool-proof). Previously, users were stuck with an authentication process that involved phone numbers, SMS notifications, and typing a confirmation code into The process was panned as clunky and unreliable. In fact, SMS verifications aren’t difficult to bypass: All it takes is a replica of Twitter’s webpage and hint of trickery to dupe users into typing in their account info, passwords, and verification codes on the fake Twitter site.

Related Videos

So here’s how the new process works: When you sign into with your username and password, its servers will push a verification request to your mobile phone to validate the log-in attempt. All you have to do is to verify (or reject) the log-in request on either Twitter’s iOS or Android app. And to give you further peace of mind, Twitter logs and informs you about the location, the time, and the browser that you appear to be logging in from.

Toopher CEO Josh Alexander, who has been very vocal about social security systems, is giving Twitter one thumb up – he’s saving the other thumb for when Twitter fixes the two-factor authentication bugs and offers the same support for accounts with multiple users.

“What Twitter did with its new two step authentication solution is historic. Yes, a small handful of companies have developed similar or better technology over the past couple of years. And while some enterprises and universities have begun adopting these technologies internally, we have not yet seen consumer-facing security that simultaneously increases both usability and security,” says Alexander.

The mechanics of the authentication process itself has its complexities, like the fact that the private asymmetric 2048-bit RSA keypair that’s stored locally on your phone sends an encrypted public key to Twitter’s servers. The point of this is to prevent snooping. What this means is that after you’ve verified that it was you who signed in, if the key that’s sent from your phone to Twitter was intercepted, the public key would not only be encrypted but wouldn’t be one in the same as the private key so hackers couldn’t use it to hack your account.

A good effort, but will users adopt the new system?

“This is harder to crack,” says Alexander when asked about how secure he finds the new system. “But it’s not safe enough to keep our concerns at bay.” He isn’t concerned about accounts being hacked, so much as he’s more concerned that Twitter users will mind the tedium of verifying a login through an out-of-band authentication (like using a smartphone to verify a login from a desktop).

“Despite the improvement to both usability and security, Twitter’s new solution doesn’t cross the usability threshold that would allow for mass adoption,” Alexander explains. He estimates that Twitter will face the normal “legacy” two step adoption rate, meaning that just between 0.5 percent and 2 percent of users will bother to add this two-factor authentication method. “This is because this solution still requires significant friction and change to normal user behavior – which means user experience is impaired.” And the point of the system is not only to improve security for its users, but to also get people to use two-factor authentication in the first place. After all, what’s the use in releasing a product that no one would use anyway?

Even Alexander doesn’t deny that Twitter’s solution is far superior and admittedly a step in the right direction. “There is still more work to be done – this a great first step away from one time passwords via text message, and Twitter knows this is only the beginning.”

You’ll find bugs, but fortunately Twitter isn’t settling

Two-factor authentication is a work in progress, says Twitter security engineer Alex Smolen, and some users are already finding the early glitches. After opting into two-factor authentication, L.A. Times reporter, Paresh Dave, reported on Twitter’s fatal flaw – namely not receiving login requests on his smartphone and being locked out of his account. And he’s not the only one who’s encountered this problem.  

But regardless of how many users actually bother to opt into two-factor authentication, and issues that might plague the feature straight out of beta, thankfully Twitter isn’t settling. “We’ll continue to make improvements so signing in to Twitter is even easier and more secure,” says Smolen. We expect the bugs and kinks to get ironed out over the coming weeks. Better yet, Twitter says a system for users who log into multiple accounts is on the way.

And since third-party Twitter clients are just about everywhere on the Web, a verification API makes sense, as Smolen announced. This would let users log into a third-party Twitter client with Twitter’s new style of authentication without the hassle of the old school method requiring users to input a generated temporary password.

While Twitter’s authentication process may neither win over every user, nor the majority for that matter, what its security team has accomplished is massively upping the ante. ‘[Twitter is helping] set a precedent for the online community demonstrating that one-time passwords via text message are no longer acceptable.”

Editors' Recommendations

Twitter finally confirms it’s behind outage of third-party Twitter apps
A stylized composite of the Twitter logo.

Twitter has finally confirmed what everyone pretty much already knew -- that it’s behind the outage of popular third-party Twitter clients such as Tweetbot and Twitterrific.

In a message posted on its Twitter Dev account for developers, the company said: “Twitter is enforcing its long-standing API rules. That may result in some apps not working.” But it declined to offer any details about what API rules the developers of the third-party apps have violated.

Read more
Thanks to Tapbots’ Ivory app, I’m finally ready to ditch Twitter for good
Profile displayed in Ivory app

Ever since Elon Musk took ownership of Twitter, it’s been one chaotic new thing after another. You literally cannot go a day (or a few days or even a week) without some stupid new change to the site — whether it’s about checkmarks for verified or Twitter Blue subscriber accounts, how links to other social networks are banned and then reversed, view counts on Tweets, or something else. I can’t keep up with every little thing that has happened since the beginning of November, and it feels like the spotlight is always on the toxicity of the site in general.

New Twitter alternatives have been popping up recently, but it seems that the most popular one continues to be Mastodon. I originally made a Mastodon account back in 2018 when it first launched, but it never clicked with me back then, and I eventually went back to Twitter. With the Musk mess, I tried going back to Mastodon, but again, it didn’t really click with me — until Tweetbot developer, Tapbots, revealed its next project: Ivory.
The significance of Tapbots and Tweetbot

Read more
Elon Musk just did something uncontroversial at Twitter
Twitter logo in white stacked on top of a blue stylized background with the Twitter logo repeating in shades of blue.

Elon Musk has unveiled a new Twitter feature that lets you see how many times a tweet has been viewed.

The company's new owner and CEO posted about the feature on Thursday, noting that it’s similar to how the platform already shows view counts for videos.

Read more