Twitter Two-Factor Lockout: One User's Horror Story
Is the security payoff from using Twitter's two-factor authentication system worth the risk of losing account access?
10 IT Leaders You Should Follow On Twitter
(click image for larger view)
Warning to users of Twitter's two-factor authentication system: Never, ever misplace your backup access code and then switch phones. Otherwise, you'll find yourself locked out of your Twitter account.
That's the situation that an InformationWeek reader who goes by the handle "Infidel" found himself in, after he upgraded from a Motorola Droid Razr to a Moto X. Because he had enabled Twitter's two-factor authentication system -- dubbed "login verification" -- the switch to the new phone resulted in the loss of a security token required to verify his device.
When first configuring Twitter login verification, a user receives one or more backup codes to use in lieu of a smartphone, but Infidel misplaced his. As a result, he was blocked from being able to use the Twitter For Android app, or Twitter.com, to access his account, which over the course of 14 months had amassed about 1,500 followers.
On the upside, Infidel had previously used a one-time code generated by Twitter to authenticate Tweetdeck on his PC, meaning he could still post tweets and send direct messages because the software was using its own, unique authentication token, which wasn't tied to his smartphone. But after two months -- and filing a dozen requests for help -- Twitter's support team failed to respond to Infidel, thus leaving his smartphone and Twitter.com access in limbo and making him wonder if he should just reboot his Twitter presence using a new handle.
As Infidel's experience demonstrates, usability concerns continue to dog Twitter's login verification feature, which was introduced after the Syrian Electronic Army hacked an Associated Press Twitter feed in April to post a hoax message. Come August, Twitter overhauled the system with new features, making it a bit more user-friendly.
Here's how it works: Today, for any account for which the system is enabled, whenever a user enters the correct username and password, Twitter sends a one-time code to the registered smartphone, together with the time of the request, approximate geographic location of the requestor and browser used. Once the user enters the one-time code into the Twitter.com log-in page, he gains access.
What happened to Infidel? By changing to a different phone, even though his phone number remained the same, the new smartphone no longer had the private key -- one half of an asymmetric 2048-bit RSA keypair -- that Twitter generated and stored there when he set up login verification. As a result, the smartphone no longer functioned as a second factor, for logging in. When Infidel tried to reset his password, that likewise failed, as he would end up in a never-ending loop: The Twitter For Android app redirected him to the website to obtain a temporary password, which sent him back to the Android app to get a temporary password.
Twitter's failsafe for these situations is that when a user activates login verification -- or logs in any time thereafter, provided he has access to his account -- he can generate up to five backup codes. "Be sure to use the codes in the order in which you generated them; using a code out of order will invalidate all previously generated codes," warns Twitter's login verification help page.
But Infidel couldn't find his code. "I'm usually pretty fastidious about stuff like that but I simply can't locate the image that I saved with the code on it," he said via email. "That said, I also don't think that it should be a fatal error, and I think that Twitter's lack of response to requests for support is sub-par."
"I just can't believe there's no provision for gaining access in the event of a lost backup code," he said.
Infidel's experience highlights the lightweight nature of Twitter's homebuilt two-factor system, which security experts have recommended avoiding. The design isn't surprising, given Twitter's iterative, "we build it ourselves" design ethos.
Twitter's two-factor options look paltry compared to other two-factor authentication systems. With Google, for example, if users lose their phone -- and backup codes -- after activating two-factor authentication, they can still deactivate two-factor authentication after signing in from a trusted computer. Or from the Google log-in screen, they can have more one-time access codes sent to a previously designated backup phone, or have their smartphone number called and a voicemail left with the code, which is handy if they still have access to voicemail. If those automatic options fail to work, users can still fill in an account-recovery form.
When contacted about Infidel's ongoing access problems, a Twitter spokeswoman stepped in, and in short order he reported that Twitter had created a trouble ticket, verified his identity and disabled the two-step verification on his account, thus letting him log in again from a browser. Problem solved. But why had his requests for help fallen through the cracks for two months? The Twitter spokeswoman declined to respond to that follow-up question.
Going forward, here's a polite request for Twitter's security developers: Please give users more ways to regain access to their account, should their phone go missing -- or get upgraded -- and they lose their backup codes. Until Twitter introduces better recovery features, users should think twice before activating login verification.