When Twitter rolled out two-factor authentication back in May, it hinted that the SMS authentication would be merely a first step in a more robust security solution. Today, WIRED got a better look at the company’s just-announced
new system that relies on application based authentication–which means it can provide a complete end to end security without relying on third parties or codes sent via SMS.
“When we decided to implement two-factor, we wanted something that was easy to use and didn’t follow the same formula everyone else was using,” explains Twitter security engineer Alex Smolen
The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.