After February 1st security breach on Twitter, the social network was forced to reset all 250,000 affected users’ passwords. Twitter will be improving its login security by pursuing two-factor authentication from now on.
Twitter detected unauthorized attempts to access user data, after which they admitted around 250,000 subscribers, may have been compromised. The company believes that the hackers were well prepared and gained access to user information including usernames, email addresses, session tokens and encrypted/salted versions of passwords. The new two-factor authentication system, or 2FA, is now ready to be introduced in Twitter. Through this option it would be impossible for hackers or internet abusers to crack your account even if they manage to acquire your passwords.
The 2FA option is in fact already in use by another large website – Google offers this protection for its Gmail and its users. The access from new devices or internet addresses is blocked even when writing the right password, unless you use your personal numerical code sent directly to your mobile phone. Besides providing an extra security option, this new 2FA system also allows users to track logins and warns for hacking attempts.
What happens when someone tries to log in to the account from a new device or a different ID address? In that case, the system will not authorize the login and will send a code to your mobile phone. Only when you enter the code in the same login page you will be able to access your account. According to Sophos senior technology consultant, Graham Cluley, Twitter can make the 2FA system paid and try to attract more companies and brands to register accounts. Well, Google’s security option is free for all users, and Twitter still haven’t announced if they will charge for it.
The major user-facing security improvement was introduced by Twitter in March 2012, when the default option for connecting became HTTPS. However the secure communication between the website and the users apparently wasn’t enough to prevent security breaches, so the two-factor authentication will defend Twitter’s log-in process. Until Twitter adopts this system, the company can only spot the breach and immediately terminate the password to this account, which they said they did. Still, some hacked users say they can log in with these expired passwords via the Twitter API, used by third party authentication tools and Twitter’s iOS apps. This means the social network is experiencing a serious glitch in handling third-party authentication to its services.