How to Boost your Twitter Sign-In Security
19th September, 2018 | Cyberprivacy | Entropic
It was May 2013 when Twitter first introduced their SMS-based Two-Factor Authentication system, which they named "Login Verification". This was done in response to a breakdown in the security of their username/password based sign-in security that was rapidly becoming vulnerable to spear-phishing attacks, and other types of data breaches.
Amongst other key events, the most noteworthy was the use of spear-phishing to gain access to the Twitter accounts of The Associated Press, and on April 23rd 2013 make false posts that caused the Dow Jones to plunge 143 points. Since then, hackers have managed to find ways to bypass SMS-based two-factor authentication, putting more pressure on Twitter to provide additional options to help enhance sign-in security for their users.
In December 2017, they introduced the ability to use third-party authenticator apps, such as Google Authenticator, Authy, Duo Mobile, LastPass, or Yubico Authenticator. Most recently in June of this year, they introduced the ability to use security keys on Android smartphones.
Unlike Facebook, Twitter does not seem to be suffering from as much Subsidiary Drag, when it comes to implementing security for their users, with Periscope currently offering the same 2FA sign-in security options as Twitter.
With it's focus on less personal, more frequent communication, Twitter does not tend to amass concentrated personal information in the same way that Facebook does. However, a compromise of this platform carries with it risks that differ from a typical data loss scenario. People who can gain access to your Twitter account can leverage it to misrepresent you, by making tweets on your behalf. This can be severely damaging for those that depend on Twitter as a reflection of their identity and their beliefs.
At it's historical worst, a hacked Twitter account can be leveraged by terrorist groups and nation states to disperse propaganda during an election period, induce stock market instability, and undermine the national security of countries.
Two-Factor Authentication (2FA) can significantly boost the security of your Twitter account by requiring a second piece of information, or action before allowing you to sign in. It should be noted that this feature does not eliminate the need to maintain your password. This is something that you'll need to continue to regularly change, record, and remember.
Implementing a convenient, yet secure method of two-factor authentication is a critical step to enhancing your security on Twitter. The obsolete SMS-based sign-in security option, that is still being made available by Twitter to their users, will hopefully soon be decommissioned in favor of their newer, more secure sign-in options.
What are Your 2FA Options Currently?
You may have already setup one of Twitter's existing methods of 2FA, which is better than just using a password. However, since the method of 2FA you enabled may not be the most secure, it's good to know about all of the other options available, including their pros and cons.
One thing we observed is that Twitter allows you to enable more than one form of 2FA at a time. You can then select which type of 2FA to use when you sign-in. Due to the current design of the user interface, this might be confusing for the average user.
Typically, the last type of 2FA that you configured in settings, is the one that becomes effective after you enter your username/password. To use another mode of 2FA to sign in, select the "Choose a different verification method" option, as shown.
Below we have listed, from best to worst (security, not convenience), the options that Twitter provides as part of it's Login Verification feature for increasing your account security. Please note also that the methods provided by Twitter described below are subject to change over time, as they adapt their security.
You'll sign into Twitter with a username/password, and then use an additional physical security key that you either insert into your USB port, or place near your Near Field Communication (NFC) capable Android device.
AVAILABILITY: Twitter and Periscope
SECURITY: Best Available
SETUP: Difficult
PROS
- Provides an additional layer of security, beyond using a simple username/password.
- Currently, the most secure option offered by Twitter.
- No need to type in a code to sign in, just plug into USB, or place near your NFC-enabled smartphone.
- Requires an attacker to physically have the security key in order to sign in.
CONS
- Not supported on Safari or Internet Explorer. Requires you to use Google Chrome, or Opera to setup and use the security key. You'll also need to install and use Google Chrome or Opera on all devices where you will use Twitter.
- Not supported on iPhones. Requires you to use an Android smartphone with NFC capability.
- Not supported by the Twitter mobile app on Android. To use a security key with a smartphone, you'll need to use Twitter from Google Chrome, along with Google Authenticator.
- USB-only security keys are less expensive, but will limit you to using devices that have a USB port. For example PCs and notebooks.
- USB+NFC security keys are more expensive, and will work with a broader range of devices. For example PCs, notebooks, and NFC capable Android smartphones and tablets.
- Losing or damaging your security key means you can no longer sign in.
- Can get expensive, since the normal recommendation is to buy multiple security keys ($15-$50 per key), in case you lose one.
- You'll need to watch where you store, and possibly forget about, your backup security keys.
You'll sign into Twitter with a username/password, and then enter an additional code that is generated by a special authenticator app on another device, such as your smartphone.
AVAILABILITY: Twitter and Periscope
SECURITY: Moderate
SETUP: Inconvenient
PROS
- Provides an additional layer of security, beyond using a simple username/password.
CONS
- Needs additional setup, including the installation and setup of an Authenticator App, such as Google Authenticator, Authy, Duo Mobile, LastPass, or Yubico Authenticator.
- You'll need to type in an additional code every time you sign in.
- Vulnerable to phishing attacks, such as those instigated by Fake Security Apps.
- Passcode generation system can be bypassed/reverse engineered over time.
You'll sign into Twitter with a username/password, and then enter an additional code that is sent to your smartphone via SMS text.
AVAILABILITY: Twitter and Periscope
SECURITY: Low
SETUP: Easy
PROS
- Provides an additional layer of security, beyond using a simple username/password.
- Provides the most user-friendly setup process out of all of Twitter's 2FA options.
CONS
- Needs additional configuration.
- You'll need to type in an additional code every time you sign in.
- You'll need cellular coverage in the area where you are signing in.
- Vulnerable to phone SIM card hijacking.
- Vulnerable to phishing attacks.
- Vulnerable to phone hijacking/cloning and Trojan security Apps, including banking trojans.
You'll sign in to Twitter with only a username and password.
AVAILABILITY: Twitter and Periscope
SECURITY: Worst Possible
SETUP: Easiest
PROS
- You only need to remember one password.
- No need for additional codes, apps and security keys.
CONS
- Requires only a single step to sign in, which in general simplifies several attack methodologies used by hackers.
- Vulnerable to brute force password attacks.
- Vulnerable to man-in-the-middle (MITM) attacks.
- Vulnerable to phishing attacks.
- Vulnerable if you are using the same, or similar usernames/passwords on other services that have been compromised.
How to Enable
Follow the Twitter setup procedure to enable login verification.
Features to Avoid
For all types of two-factor authentication offered by Twitter, there are convenience features that tend to break down the original vision of 2FA. So if possible, try to avoid depending on them too much, or at least be vigilant about how you use them.
Some examples are:
- The ability to take a picture of, download, or print a backup code that allows you to sign in from devices, in cases where you can't use 2FA.
Possible risks:
- After taking a picture of the codes with your smartphone, that picture might be synched to a cloud storage or backup service, meaning that it might become accessible to other people, or systems over time.
- After printing the codes, you might forget that your left a copy of these codes in you Downloads folder, or they might be lying around in your trash after you deleted them, or the printed codes might be intercepted in your baggage while you travel,...and so forth.
- Using any "Remember Browser" or "Remember this Computer" option, which defaults to ON. Possible Risk:
- If your device is stolen and the attacker has access to it, they'll be able to use this to access your Twitter account.
Regular Review
On a regular basis, you should regularly review the following on your Twitter account:
- Your password - update your password regularly using well established and updated password guidelines.
- The Recently used devices to access Twitter section in Twitter settings to see if there are any devices you don't recognize.
- Apps you may have unwittingly authorized to access your Twitter account, to prevent unwarranted access. Issues with third-party apps accessing users accounts on Facebook and Google were highlighted earlier this year.
Conclusion
As social networking companies continue to automate the validation of their users with artificial intelligence techniques, and reduce the human element of validation, we can also expect them to become increasingly vulnerable to Sybil-like attacks, which attempt to subvert social networks by forging individual, seemingly valid identities. Blockchain is helping to mitigate these risks as discussed in this article by Bennett Garner originally posted on CoinCentral.com.
If you have any feedback, questions, or suggestions, please let us know.
Acknowledgements:
Photo by Matthew Feeney on Unsplash