Twitter’s Killer New Two-Factor Solution Kicks SMS to the Curb

[JMH]

When Twitter rolled out two-factor authentication back in May, it hinted that the SMS authentication would be merely a first step in a more robust security solution. Today, WIRED got a better look at the company’s just-announced new system that relies on application based authentication–which means it can provide a complete end to end security without relying on third parties or codes sent via SMS.

“When we decided to implement two-factor, we wanted something that was easy to use and didn’t follow the same formula everyone else was using,” explains Twitter security engineer Alex Smolen.

The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.

Twitter's Killer New Two-Factor Solution Kicks SMS to the Curb | Threat Level | Wired.com

 

[JMH]

Twitter's new security feature: Good intention but a hassle

The difficulty in using Twitter's new login verification feature will likely make it useful only to actors, politicians, and other high-profile users willing to go through the hassle for tighter security.

Twitter, like Google and Facebook, is experimenting with multi-factor authentication as a back up to the traditional user name and password that most experts agree is no longer sufficient to protect user accounts. In its latest attempt to bolster security, Twitter has focused on the mobile phone as the keeper of the crown jewels for protection.

In general, Twitter has adopted a system called asymetric cryptography in which an iOS or Android device is used to generate a private and a public key. While the former stays in the phone, the latter is stored on a Twitter server.

Twitter's new security feature: Good intention but a hassle | PCWorld