Blog Post

Why it’s time for Twitter to add two-factor authentication

As it becomes clear that an errant tweet can move stock prices, perhaps it’s time for Twitter to improve security measures and add two-factor authentication for accounts.

The Associated Press’s Twitter account was hacked this morning, sending out updates saying that explosions had hit the White House and President Barack Obama had been injured. The AP’s account was immediately suspended and the tweets removed, but not before the Dow dropped about 200 points. It has since recovered, but that type of velocity makes it possible for someone to have made a lot of money.

Twitter has had security issues before, most recently when it notified users that a number of passwords had been compromised in February, but now with new SEC rules allowing analysts and traders to check tweets for market-moving information, it’s more important than ever for the company to give influential users as many security tools as possible.

Apple(s appl) just added two-factor authentication to Apple IDs in March, Microsoft(s msft) rolled it out last week, and Google(s goog) has had it for much longer. Two-factor authentication is just one way that users can protect passwords, preventing an individual from hacking an account by requiring them to also have in their possession a second form of identification. For instance, Gmail users can set up their smartphones to work with two-factor authentication, requiring a PIN sent to their phone when they try to log in online.

It’s quickly becoming common practice among large web companies, and as the stakes increase for Twitter, it’s time for the company to consider adding the feature. Ars Technica reported in February that Twitter had posted jobs listings seeking engineers with experience in security, including “multifactor authentication and fraudulent login detection.”

Twitter has not yet responded to our request for comment on its current plans.

4 Responses to “Why it’s time for Twitter to add two-factor authentication”

  1. Twitter didnt allow for that hack. AP did. People need to start taking responsibility for the type of passwords they create as well as who is accessing their networks.

  2. Two-factor authentication is absolutely becoming a standard in web companies, as well as in traditional industries like banking. Intuit, Bank of America, etc implement phone-based and identity verifications for their customers – so should companies like Twitter who’s user base has incredible and powerful reach.

    TFA is actually really simple to implement. With SMS and voice, you’re covering almost all of your potential customer base as not being limited by Smart or feature phones. It’s perhaps just a piece of what companies should include in their security infrastructure, but it’s a powerful one that is a step in the right direction.

    I work with the communications platform Twilio, and we’ve published a lot of documentation and industry analysis of phone-based security solutions, because we believe the phone is integral in security strategies. Read more, and feel free to ping me if you’d like to discuss murphy [at] twilio [dot] com:

    • The last thing I want to do is be called or texted additional information to log into my account somewhere. Good thing I dont patronize inuit (too many mistakes in their tax software costing me money and potentially an audit) or bank of america (too much outsourcing).

      • I’ll assume that you aren’t familiar with (just as examples) Google’s or Blizzard’s two factor authentication systems. This isn’t something that companies are foisting upon their users- you have to go out of your way to choose and setup the feature. (Your internal IT department could force you to use two-factor authentication, but no one can help you there.)

        What’s important to me may not be important to you, and that’s normal. Complaining about something that doesn’t affect you unless you seek it out isn’t logical. I’m glad that most companies consider the importance of maintaining user experience- without letting opinions like this one stop them from developing optional features that are valued by many.