By continuing to use this site, you agree to our updated Privacy Policy and Terms of Use. ×





How to Boost your Twitter Sign-In Security

19th September, 2018 | Cyberprivacy | Entropic

Photo by Matthew Feeney on Unsplash

It was May 2013 when Twitter first introduced their SMS-based Two-Factor Authentication system, which they named "Login Verification". This was done in response to a breakdown in the security of their username/password based sign-in security that was rapidly becoming vulnerable to spear-phishing attacks, and other types of data breaches.

Amongst other key events, the most noteworthy was the use of spear-phishing to gain access to the Twitter accounts of The Associated Press, and on April 23rd 2013 make false posts that caused the Dow Jones to plunge 143 points. Since then, hackers have managed to find ways to bypass SMS-based two-factor authentication, putting more pressure on Twitter to provide additional options to help enhance sign-in security for their users.

In December 2017, they introduced the ability to use third-party authenticator apps, such as Google Authenticator, Authy, Duo Mobile, LastPass, or Yubico Authenticator. Most recently in June of this year, they introduced the ability to use security keys on Android smartphones.

Unlike Facebook, Twitter does not seem to be suffering from as much Subsidiary Drag, when it comes to implementing security for their users, with Periscope currently offering the same 2FA sign-in security options as Twitter.

With it's focus on less personal, more frequent communication, Twitter does not tend to amass concentrated personal information in the same way that Facebook does. However, a compromise of this platform carries with it risks that differ from a typical data loss scenario. People who can gain access to your Twitter account can leverage it to misrepresent you, by making tweets on your behalf. This can be severely damaging for those that depend on Twitter as a reflection of their identity and their beliefs.

At it's historical worst, a hacked Twitter account can be leveraged by terrorist groups and nation states to disperse propaganda during an election period, induce stock market instability, and undermine the national security of countries.

Two-Factor Authentication (2FA) can significantly boost the security of your Twitter account by requiring a second piece of information, or action before allowing you to sign in. It should be noted that this feature does not eliminate the need to maintain your password. This is something that you'll need to continue to regularly change, record, and remember.

Implementing a convenient, yet secure method of two-factor authentication is a critical step to enhancing your security on Twitter. The obsolete SMS-based sign-in security option, that is still being made available by Twitter to their users, will hopefully soon be decommissioned in favor of their newer, more secure sign-in options.

What are Your 2FA Options Currently?

You may have already setup one of Twitter's existing methods of 2FA, which is better than just using a password. However, since the method of 2FA you enabled may not be the most secure, it's good to know about all of the other options available, including their pros and cons.

Selecting an alternative type of two-factor authentication on Twitter

One thing we observed is that Twitter allows you to enable more than one form of 2FA at a time. You can then select which type of 2FA to use when you sign-in. Due to the current design of the user interface, this might be confusing for the average user.

Typically, the last type of 2FA that you configured in settings, is the one that becomes effective after you enter your username/password. To use another mode of 2FA to sign in, select the "Choose a different verification method" option, as shown.

Below we have listed, from best to worst (security, not convenience), the options that Twitter provides as part of it's Login Verification feature for increasing your account security. Please note also that the methods provided by Twitter described below are subject to change over time, as they adapt their security.

The sign-in security options provided by Twitter


OPTION 1:
PHYSICAL SECURITY KEY

You'll sign into Twitter with a username/password, and then use an additional physical security key that you either insert into your USB port, or place near your Near Field Communication (NFC) capable Android device.

Twitter sign-in using a security key


AVAILABILITY: Twitter and Periscope


SECURITY: Best Available


SETUP: Difficult


PROS


CONS



OPTION 2:
ONE TIME PASSCODE
(VIA AUTHENTICATOR APP)

You'll sign into Twitter with a username/password, and then enter an additional code that is generated by a special authenticator app on another device, such as your smartphone.

Google Authenticator


AVAILABILITY: Twitter and Periscope


SECURITY: Moderate


SETUP: Inconvenient


PROS

CONS



OPTION 3:
ONE TIME PASSCODE
(VIA SMS)

You'll sign into Twitter with a username/password, and then enter an additional code that is sent to your smartphone via SMS text.

Twitter SMS Authentication


AVAILABILITY: Twitter and Periscope


SECURITY: Low


SETUP: Easy


PROS

CONS



OPTION 4:
USERNAME & PASSWORD ONLY
(NO 2FA)

You'll sign in to Twitter with only a username and password.

Twitter sign-in screen


AVAILABILITY: Twitter and Periscope


SECURITY: Worst Possible


SETUP: Easiest


PROS

CONS


How to Enable

Follow the Twitter setup procedure to enable login verification.

Features to Avoid

For all types of two-factor authentication offered by Twitter, there are convenience features that tend to break down the original vision of 2FA. So if possible, try to avoid depending on them too much, or at least be vigilant about how you use them.

Some examples are:

  1. The ability to take a picture of, download, or print a backup code that allows you to sign in from devices, in cases where you can't use 2FA. Possible risks:

    1. After taking a picture of the codes with your smartphone, that picture might be synched to a cloud storage or backup service, meaning that it might become accessible to other people, or systems over time.

    2. After printing the codes, you might forget that your left a copy of these codes in you Downloads folder, or they might be lying around in your trash after you deleted them, or the printed codes might be intercepted in your baggage while you travel,...and so forth.

  2. Using any "Remember Browser" or "Remember this Computer" option, which defaults to ON. Possible Risk:

    1. If your device is stolen and the attacker has access to it, they'll be able to use this to access your Twitter account.

Regular Review

On a regular basis, you should regularly review the following on your Twitter account:

  1. Your password - update your password regularly using well established and updated password guidelines.

  2. The Recently used devices to access Twitter section in Twitter settings to see if there are any devices you don't recognize.

  3. Apps you may have unwittingly authorized to access your Twitter account, to prevent unwarranted access. Issues with third-party apps accessing users accounts on Facebook and Google were highlighted earlier this year.

Conclusion

As social networking companies continue to automate the validation of their users with artificial intelligence techniques, and reduce the human element of validation, we can also expect them to become increasingly vulnerable to Sybil-like attacks, which attempt to subvert social networks by forging individual, seemingly valid identities. Blockchain is helping to mitigate these risks as discussed in this article by Bennett Garner originally posted on CoinCentral.com.

If you have any feedback, questions, or suggestions, please let us know.

Acknowledgements:
Photo by Matthew Feeney on Unsplash