Last week Twitter became the latest to adopt additional security measures to protect logins using a second authentication factor, joining Apple iTunes, Google Apps, Facebook and others. The idea is to join something that you know, such as a password (that is often and unfortunately shared among other Web services) with something that only you have, such as your cellphone number or an app that runs on your phone.
It wasn’t all that long ago that the small “tokens” the size of key fobs were the sole method that could be used to protect logins. These devices generated a one-time password code that changed every 30 seconds or so automatically, and when you logged into one of your accounts you had to type in the right code that was shown on the device. But toting tokens is too much trouble: they get lost or you leave them at home when you need them elsewhere. A much better solution is to use your phone to generate these one-time codes. So I recently looked at several two factor security tools for a review that was published in Network World. These are tools that are used by enterprises to protect their entire collection of logins to a diverse set of applications, such as internal websites, client/server databases and Web apps. Of the eight tools, SecureAuth’s IdP came out on tops.
In my review I looked at how easy it was to provision new users, what kind of apps you can protect with the tool, and what kinds of protective measures you can deploy for the additional authentication steps. There are many different kinds of tokens (as you can see from the picture above from SafeNet, one of the products that I tested), apart from the traditional key fob type: you can use SMS messages (which is what Twitter and Google use), you can download a special smartphone app that creates the one-time codes, you can use actual voice calls or send emails.
None of these tools are simple for an IT staff to setup, however. They have lots of moving parts and require security specialists from different parts of the IT infrastructure to coordinate their efforts.
The Twitter two factor authentication (they call it account verification) is somewhat confusing: you have to go to Account, then check the box on Account Security to enable it. Then you have to ensure that your email address and phone numbers are added to your account.
Part of the bigger problem — not just for Twitter — is that all Web services vendors slipstream in their two factor authentication feature without you necessarily knowing about it. If you haven’t kept up with the vendor’s blog or if the feature hasn’t been widely reported, you don’t know it has been added. For example, Google added two factor to its Gmail accounts several years ago, but not initially to its hosted email accounts. Unless you are ultra paranoid or a security geek, chances are you don’t know about the feature.
Another part of the problem is that frankly, providing the second factor is annoying, an extra step to keep your account secure. Chances are that you won’t be very motivated to use it, unless your account has been compromised in the past, say the recent past. (See the use case of people doing backups after they lose their hard drives.) This is where the two factor tools that I reviewed come in handy: if your company has deployed one of these, it actually can making logging into your accounts easier rather than harder, using a single sign-on to authenticate you to multiple accounts. SecureAuth and Okta come out near the top in this area too.
Given the numerous and now infamous Twitter account compromises over the past couple of years, I am glad to see them deploy two factor authentication.While many of these could still have happened with the additional authentication, they are a good thing to deploy and if you have a corporate Twitter account, you should set this up soon. And if you haven’t yet set it up on your other Web accounts, take some time this week to do so.