Hands-on: Twitter's new two-factor authentication sounds cool, but we can't get it to work
On Wednesday, Twitter unveiled a new two-factor authentication method for Android and iOS that allows you to authorize login requests to your Twitter account with just one tap, banishing the usual method of manually inputting security codes generated via an app or sent via text method. Just open up the Twitter app on your smartphone or tablet, authorize the login with one finger press, and you’re done.
Sounds great, right? There's only one problem: It simply didn’t work in my tests, or my editor's—and Twitter’s two-factor failure doesn’t appear to be limited to our experience, either.
Nevertheless, even while Twitter works out the kinks for its (admittedly cool) two-factor authentication system, the new security measure is still worth setting up right now. Read on and we’ll explain why.
How to get started
You can only have two-factor authentication set-up on one smartphone or tablet, so you have to decide which of your devices you have around with you most often. For most of us, this will be our smartphone.
To set-up Twitter two-factor authentication, click on the “Me” tab (the advanced primate icon in the top right corner) to view your Twitter profile. Next, tap on the settings cog below your tweet count and then tap “Settings.”
For iPhone users, you simply have to tap the “Security” option next, but Android users first have to tap their username at the top of the Settings page and then tap “Security” at the bottom of the next page. After that, both iOS and Android users should now see the security page with one option available called “Login verification” and a check box next to it.
Tap the box and a warning dialog will pop-up telling you that if you enable login verification, you will need your phone to sign-in to Twitter. If that doesn’t bother you—and it shouldn’t since you wanted to set-up two-factor authentication in the first place—tap “OK.”
Here's where the first issue popped up. Despite repeated attempts to activate Twitter's new security feature, my editor simply couldn't get the new-look two-factor authentication to stick. The app tossed up repeated error messages, as seen at right.
But if you do manage to get through, the Twitter application will now take a few minutes to generate a pair of security encryption keys for two-factor authentication. When that’s done, the next thing you’ll see will be a page with a 12-character code. Write down that code in a secure place, or ideally, plop it in a password manager like LastPass. This code is a one-time backup code you can use in case you have to login to Twitter without your phone present or Twitter’s one-tap authentication method isn’t working.
After you’ve got your backup code stashed away, you’re done and your Twitter account is now more secure than it was.
From the Twitter app with two-factor authentication activated, you can use the “Security” page to see or generate new backup codes as well as view and approve all login requests for your account.
That’s the theory anyway. Here’s how it worked for us in practice.
The next time you try to login to your Twitter account from another device, an alert will be sent to your phone asking you to authorize the login.
On Android, tap the alert in the notifications area to open the Twitter app and go directly to the login requests page. What you should see next is a request to authorize the login with a single tap—there are no codes to enter. The request includes a myriad of information, including time, location, and browser type, so you can be sure that the request is coming from you.
That’s what you should see, but as we mentioned before, in our tests Twitter’s two-factor authentication mechanism wasn’t working. Every time we opened the Twitter app on a Nexus 4 to approve a login, the app repeatedly said we didn’t have any login requests. Quick fix methods such as stopping the application and rebooting the phone didn’t help solve the issue either.
Luckily, you can login using the one-time back-up codes—even though that defeats the purpose of using Twitter’s one-tap authentication method in the first place.
It’s not clear why two-factor authentication didn’t work during our tests, but we’ve dropped a note to Twitter to see if they can help us solve the problem.
Even though Twitter’s primary authentication method doesn’t work, the backup codes still let you use the Twitter app for two-factor authentication while the company works the bugs out of its system. Another option is to continue using (or sign-up for) Twitter’s SMS-based authentication method.
We weren’t the only ones experiencing problems with Twitter’s authentication method, either. A number of Twitter users were also complaining of the issue, and Android Police saw the same issues that we did.
Also note that many third-party applications aren’t set-up to work with Twitter’s new two-factor method yet. In those cases, you will be redirected to your Twitter account on the Web where you can generate an application-specific password.
Behind the scenes
Crypto-geeks will want to take a look at Twitter’s blog post explaining the technical details behind its new authentication scheme. Similar to other two-factor authentication methods, Twitter’s approach relies on something you know (your password) and something you have (an app on your phone).
In some cases, such as Google’s two-factor authentication method, the second authentication factor (the app on your phone) relies on a counter and a secret shared between your phone and the service. The problem with that approach, Twitter says, is that if the server is compromised then hackers will know the shared secret and be able to break-in to your account.
SMS login codes aren’t as secure either since they too can be hacked by malicious actors, as security researchers noted when Twitter rolled out its SMS two-factor approach in May.
The advantage of the shared secret approach, however, is that it’s comparatively simple to use and maintain. Twitter’s new approach is far more complex—but we'll leave all the nitty-gritty details to Twitter's blog post. Let's just say it involves 2048-bit RSA public-private key pairs and 190-bit, one-time use codes dubbed "nonces," and leave it at that. The animated GIF above gets the rough gist across.
It sounds good on paper!
Twitter’s approach sounds like a very cool approach to security authorization, but we have to wonder if the complexity of sending all those 190-bit nonces back and forth could have used a little more beta testing before it went live. Whatever the technical problems are, hopefully we’ll be able to use the new system soon.
Regardless, even using the dreary 16-character backup codes for now is better than the alternative of having no two-factor authentication at all (though my editor's sticking to SMS notifications). Who knows? Maybe you’ll have better luck with Twitter’s new security measures than we did.
PCWorld's Brad Chacos contributed to this report.