|2-Step Cited as Twitter Security Fix|
|By JOANNA STERN (@joannastern)||Apr 24, 2013, 12:37 PM|
It can be said in the length of a single tweet: When a 140-character message can lead to national security issues, Twitter itself needs better security tools.
On Tuesday afternoon, The Associated Press tweeted that two bombs had exploded at the White House and that President Obama had been injured. That, of course, turned out to be false information. The news organization's account had been hacked.
Still, the tweet had far-reaching repercussions. The stock market dropped 150 points as a result and the White House responded to the tweet by reassuring the country that the president was just fine.
Also, days before the AP was hacked, CBS' "60 Minutes" account was compromised by hackers.
With that, security experts believe more than ever that Twitter's security systems need to be strengthened, starting with something called two-factor authentication.
"To address the breach and other ones that have happened, the number one thing that needs to happen is we need to move from single authentication to multiple factors," Tony Busseri, the CEO of Route1, a cybersecurity firm whose customers include the U.S. Dept. of Defense, told ABC News. "Without that, we continue to be at risk."
What Is Two-Factor Authentication?
Two-factor, or two-step, authentication features on Web services is nothing new. Indeed, your Gmail or Yahoo email accounts have it. You might just not have it enabled.
The idea is that instead of just plugging in your account username and password to get access to your account, you have to go through an additional step -- or two steps -- to confirm that you are who you say you are.
"Two factor is two ways of authenticating who you are," McAfee security expert Robert Siciliano explained to ABC New. "Two factor, generally, by definition is something you know and something that you have or you are."
Essentially, the first part is something you know. That part we all already do. We punch in our username and then our private password.
The second part is something that you have (say a PIN that's sent to you via text message or on a keycard) or it is you yourself (with a fingerprint or an eye scan).
"The punch line: A username and password are not enough to confirm an individual's identity," Busseri of Root1 said.
He stressed that there needs to be another way of actually authenticating that you are really the person who controls the account.
How does this make accounts more secure and safer from hackers? On top of gaining access to just the original password, a hacker or hacker group would need access to your second factor as well, putting another roadblock in the way.
Why Twitter and Others Need It Now
Google, Microsoft and other companies that provide online services do offer two-factor, or two-step, verification. With Google and Microsoft's implementations, users can set it up so that when they sign into their accounts, they are required to enter a password and another code, which is sent via text message or relayed in a voice call.
Twitter is planning to launch a two-factor setting soon, says Wired and other reports.
Twitter says it has nothing to announce at this time.
Whether Twitter will release the feature for all users or just those with Verified accounts, or for those who pass a certain threshold of followers remains to be seen. But McAfee's Siciliano says that everyone should get into the practice of using the two-step setting.
"I think that it would be good training for everyone to do it," he said. "The majority of our accounts are going to have two-factor. Twitter, being for most people non-essential, would be a good place for people to adopt it."
Of course, having to type in two passwords or pieces of information might be considered an annoyance for people, but as we have seen in the past couple of weeks, the payoff can, in some cases, mean thwarting national security issues.
"At this point, the weight of a tweet essentially can affect people's lives in regards to their financials and also their life itself, as we saw in the case of the Boston bombings and the requests that were being made by the FBI and the Boston police," Siciliano said. "Security is not convenient, it can be a hassle."