Twitter’s two-factor authentication offers limited security

Earlier this week Twitter beefed up its security by introducing a two-factor authentication system (2FA) where users could choose to get a second temporary login password when they signed on to Twitter from an Internet browser. This was a much asked-for feature after incidents of high-profile Twitter accounts, especially of news organizations, were hacked in recent weeks. However, the new system offers little protection and does almost nothing when it comes to securing team accounts.

The 2FA system implemented by Twitter is based on its Twitter via SMS service. The biggest limitation of this service is it works only on few carriers globally. In other words, if you are on a carrier with which Twitter does not have a partnership to send Tweets over SMS, you won’t be able to implement the new authentication system. In India, Twitter has partnerships with Airtel, Tata Docomo and Reliance Communications only and does not support other leading carriers like Vodafone, Idea Cellular, Aircel among others. You can check the global list of supported carriers here.

Secondly, the new system works with just one mobile number, which has been verified on the particular Twitter account. This makes it useless for team accounts that are handled by multiple people and would do nothing to secure accounts that are at the highest risk of getting hacked like those of media organizations and government bodies.

To be fair to Twitter, the company acknowledges the limitations. Twitter’s product security team’s Jim O’Leary mentions as much in the blog post that introduced this feature, “This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers). However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned.”

However, with the rapid growth that Twitter is witnessing it needs to do much more and much quicker. Hopefully, a better security system would be delivered soon enough. Till then, having a secure password and not falling for phishing attempts remains every user’s best bet.

  • Sudip

    I am a Vodafone User (Ported form Aircel-BSNL), at the time of mobile number registration I have selected my number as one of the supported networks, and it is working fine. ;) :)