Why we’re cautiously optimistic about Twitter’s new authentication system

twitter has introduced a new authentication system and were cautiously optimistic about it heres why two step

As much as we’ve ragged on Twitter’s inept security strategy, we have to hand it to Twitter this time around. As terrible as Twitter’s first attempt at two-factor authentication was, this second go at a security upgrade is a huge improvement – here’s why.

Out with the old, in with the new

How is the new version any different from the old? In many ways the latest two-factor authentication system is far more secure (although that doesn’t mean it’s fool-proof). Previously, users were stuck with an authentication process that involved phone numbers, SMS notifications, and typing a confirmation code into Twitter.com. The process was panned as clunky and unreliable. In fact, SMS verifications aren’t difficult to bypass: All it takes is a replica of Twitter’s webpage and hint of trickery to dupe users into typing in their account info, passwords, and verification codes on the fake Twitter site.

So here’s how the new process works: When you sign into Twitter.com with your username and password, its servers will push a verification request to your mobile phone to validate the log-in attempt. All you have to do is to verify (or reject) the log-in request on either Twitter’s iOS or Android app. And to give you further peace of mind, Twitter logs and informs you about the location, the time, and the browser that you appear to be logging in from.

Toopher CEO Josh Alexander, who has been very vocal about social security systems, is giving Twitter one thumb up – he’s saving the other thumb for when Twitter fixes the two-factor authentication bugs and offers the same support for accounts with multiple users.

“What Twitter did with its new two step authentication solution is historic. Yes, a small handful of companies have developed similar or better technology over the past couple of years. And while some enterprises and universities have begun adopting these technologies internally, we have not yet seen consumer-facing security that simultaneously increases both usability and security,” says Alexander.

The mechanics of the authentication process itself has its complexities, like the fact that the private asymmetric 2048-bit RSA keypair that’s stored locally on your phone sends an encrypted public key to Twitter’s servers. The point of this is to prevent snooping. What this means is that after you’ve verified that it was you who signed in, if the key that’s sent from your phone to Twitter was intercepted, the public key would not only be encrypted but wouldn’t be one in the same as the private key so hackers couldn’t use it to hack your account.

A good effort, but will users adopt the new system?

“This is harder to crack,” says Alexander when asked about how secure he finds the new system. “But it’s not safe enough to keep our concerns at bay.” He isn’t concerned about accounts being hacked, so much as he’s more concerned that Twitter users will mind the tedium of verifying a login through an out-of-band authentication (like using a smartphone to verify a login from a desktop).

“Despite the improvement to both usability and security, Twitter’s new solution doesn’t cross the usability threshold that would allow for mass adoption,” Alexander explains. He estimates that Twitter will face the normal “legacy” two step adoption rate, meaning that just between 0.5 percent and 2 percent of users will bother to add this two-factor authentication method. “This is because this solution still requires significant friction and change to normal user behavior – which means user experience is impaired.” And the point of the system is not only to improve security for its users, but to also get people to use two-factor authentication in the first place. After all, what’s the use in releasing a product that no one would use anyway?

Even Alexander doesn’t deny that Twitter’s solution is far superior and admittedly a step in the right direction. “There is still more work to be done – this a great first step away from one time passwords via text message, and Twitter knows this is only the beginning.”

You’ll find bugs, but fortunately Twitter isn’t settling

Two-factor authentication is a work in progress, says Twitter security engineer Alex Smolen, and some users are already finding the early glitches. After opting into two-factor authentication, L.A. Times reporter, Paresh Dave, reported on Twitter’s fatal flaw – namely not receiving login requests on his smartphone and being locked out of his account. And he’s not the only one who’s encountered this problem.  

But regardless of how many users actually bother to opt into two-factor authentication, and issues that might plague the feature straight out of beta, thankfully Twitter isn’t settling. “We’ll continue to make improvements so signing in to Twitter is even easier and more secure,” says Smolen. We expect the bugs and kinks to get ironed out over the coming weeks. Better yet, Twitter says a system for users who log into multiple accounts is on the way.

And since third-party Twitter clients are just about everywhere on the Web, a verification API makes sense, as Smolen announced. This would let users log into a third-party Twitter client with Twitter’s new style of authentication without the hassle of the old school method requiring users to input a generated temporary password.

While Twitter’s authentication process may neither win over every user, nor the majority for that matter, what its security team has accomplished is massively upping the ante. ‘[Twitter is helping] set a precedent for the online community demonstrating that one-time passwords via text message are no longer acceptable.”


Ditch the passwords and buy Xbox games with just your face

Passwords are the past. The latest version of Windows 10 allows you to sign in with your Microsoft account on the web through Microsoft Edge using Windows Hello or a FIDO 2 Yubikey. 

Keep your phone organized with one of the best file managers for Android

Your smartphone has a limited amount of storage space and all sorts of files tend to accumulate if you let them. To keep things in order and find what you need, you should snag one of the best file managers for Android.

The MacBook is smaller, the MacBook Air is faster, but which is better?

This year, Apple's MacBook Air got a powerful internal upgrade, but the redesign makes it slimmer and lighter. So should you get the MacBook Air over the MacBook? We'll compare both notebook's major features and help you decide.

Your PlayStation 4 game library isn't complete without these games

Looking for the best PS4 games out there? Out of the massive crop of titles available, we selected the best you should buy. No matter what your genre of choice may be, there's something here for you.
Social Media

Vine fans, your favorite video-looping app is coming back as Byte

Vine fans were left disappointed in 2017 when its owner, Twitter, pulled the plug on the video-looping app. But now one of its co-founders has promised that a new version of the app, called Byte, is coming soon.

Social media use increases depression and anxiety, experiment shows

A study has shown for the first time a causal link between social media use and lower rates of well-being. Students who limited their social media usage to 30 minutes a day showed significant decreases in anxiety and fear of missing out.
Social Media

Twitter boss hints that an edit button for tweets may finally be on its way

Twitter has been talking for years about launching an edit button for tweets, but it still hasn't landed. This week, company boss Jack Dorsey addressed the matter again, describing a quick-edit button as "achievable."
Social Media

‘Superwoman’ YouTuber Lilly Singh taking a break for her mental health

Claiming to be "mentally, physically, emotionally, and spiritually exhausted," popular YouTuber Lilly Singh has told her millions of fans she's taking a break from making videos in order to recuperate.
Social Media

Facebook is rolling out a Messenger ‘unsend’ feature, and here’s how to use it

Facebook is starting to roll out a "remove message" feature for its Messenger app. It lets you delete a message in a thread within 10 minutes of sending it, and replaces it with a note telling recipients that it's been removed.
Social Media

Going incognito: Here's how to appear offline on Facebook

How do you make sure your friends and family can't see if you're on Facebook, even if you are? Here, we'll show you how to turn off your active status on three different platforms, so you can browse Facebook without anyone knowing.
Social Media

Build a wish list and shop videos with Instagram’s latest shopping update

Eyeing a product on Instagram? Now there are more ways to shop from the social network. Instagram just rolled out options to save products in a collection as users can also now shop from videos.
Social Media

Addicted to Instagram? Its new ‘activity dashboard’ is here to help

Ever get that nagging feeling you're spending too much time on Instagram? Well, a new "activity dashboard" has a bunch of features designed to help you better control how you use the addictive photo-sharing app.
Product Review

It's not a spy, but you still won't want to friend Facebook's Portal+

Facebook has jumped into the smart home game with the Portal+, a video-calling device featuring an Amazon Alexa speaker and a screen. While it has lots of cool calling features, we’re weary of Facebook taking up counter space in our home.
Social Media

Why an American named John Lewis gets lots of Twitter hassle from Brits

Spare a thought for Twitter user John Lewis. When he signed up as @johnlewis soon after the app launched in 2006, little did he know what he was letting himself in for. Clue: There's a U.K. department store called John Lewis.