Government // Mobile & Wireless
Commentary
10/28/2013
08:11 PM
50%
50%

Twitter Two-Factor Lockout: One User's Horror Story

Is the security payoff from using Twitter's two-factor authentication system worth the risk of losing account access?

 10 IT Leaders You Should Follow On Twitter
10 IT Leaders You Should Follow On Twitter
(click image for larger view)
Warning to users of Twitter's two-factor authentication system: Never, ever misplace your backup access code and then switch phones. Otherwise, you'll find yourself locked out of your Twitter account.

That's the situation that an InformationWeek reader who goes by the handle "Infidel" found himself in, after he upgraded from a Motorola Droid Razr to a Moto X. Because he had enabled Twitter's two-factor authentication system -- dubbed "login verification" -- the switch to the new phone resulted in the loss of a security token required to verify his device.

When first configuring Twitter login verification, a user receives one or more backup codes to use in lieu of a smartphone, but Infidel misplaced his. As a result, he was blocked from being able to use the Twitter For Android app, or Twitter.com, to access his account, which over the course of 14 months had amassed about 1,500 followers.

On the upside, Infidel had previously used a one-time code generated by Twitter to authenticate Tweetdeck on his PC, meaning he could still post tweets and send direct messages because the software was using its own, unique authentication token, which wasn't tied to his smartphone. But after two months -- and filing a dozen requests for help -- Twitter's support team failed to respond to Infidel, thus leaving his smartphone and Twitter.com access in limbo and making him wonder if he should just reboot his Twitter presence using a new handle.

[ Love the tube as much as Twitter? Read Twitter Becomes TV Remote. ]

As Infidel's experience demonstrates, usability concerns continue to dog Twitter's login verification feature, which was introduced after the Syrian Electronic Army hacked an Associated Press Twitter feed in April to post a hoax message. Come August, Twitter overhauled the system with new features, making it a bit more user-friendly.

Here's how it works: Today, for any account for which the system is enabled, whenever a user enters the correct username and password, Twitter sends a one-time code to the registered smartphone, together with the time of the request, approximate geographic location of the requestor and browser used. Once the user enters the one-time code into the Twitter.com log-in page, he gains access.

What happened to Infidel? By changing to a different phone, even though his phone number remained the same, the new smartphone no longer had the private key -- one half of an asymmetric 2048-bit RSA keypair -- that Twitter generated and stored there when he set up login verification. As a result, the smartphone no longer functioned as a second factor, for logging in. When Infidel tried to reset his password, that likewise failed, as he would end up in a never-ending loop: The Twitter For Android app redirected him to the website to obtain a temporary password, which sent him back to the Android app to get a temporary password.

Twitter's failsafe for these situations is that when a user activates login verification -- or logs in any time thereafter, provided he has access to his account -- he can generate up to five backup codes. "Be sure to use the codes in the order in which you generated them; using a code out of order will invalidate all previously generated codes," warns Twitter's login verification help page.

But Infidel couldn't find his code. "I'm usually pretty fastidious about stuff like that but I simply can't locate the image that I saved with the code on it," he said via email. "That said, I also don't think that it should be a fatal error, and I think that Twitter's lack of response to requests for support is sub-par."

"I just can't believe there's no provision for gaining access in the event of a lost backup code," he said.

Infidel's experience highlights the lightweight nature of Twitter's homebuilt two-factor system, which security experts have recommended avoiding. The design isn't surprising, given Twitter's iterative, "we build it ourselves" design ethos.

Twitter's two-factor options look paltry compared to other two-factor authentication systems. With Google, for example, if users lose their phone -- and backup codes -- after activating two-factor authentication, they can still deactivate two-factor authentication after signing in from a trusted computer. Or from the Google log-in screen, they can have more one-time access codes sent to a previously designated backup phone, or have their smartphone number called and a voicemail left with the code, which is handy if they still have access to voicemail. If those automatic options fail to work, users can still fill in an account-recovery form.

When contacted about Infidel's ongoing access problems, a Twitter spokeswoman stepped in, and in short order he reported that Twitter had created a trouble ticket, verified his identity and disabled the two-step verification on his account, thus letting him log in again from a browser. Problem solved. But why had his requests for help fallen through the cracks for two months? The Twitter spokeswoman declined to respond to that follow-up question.

Going forward, here's a polite request for Twitter's security developers: Please give users more ways to regain access to their account, should their phone go missing -- or get upgraded -- and they lose their backup codes. Until Twitter introduces better recovery features, users should think twice before activating login verification.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2013 | 1:43:55 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
My Twitter account is not desperately important to me, for that matter.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2013 | 1:40:47 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Reminds me of a time I was in rural New Hampshire, had exactly $1 on me, and went to an ATM -- only to find that my card wasn't working. As I spent 45 minutes on the phone with my bank, they were insistent that I give them proof of one of three recent transactions via information from a receipt. (Only by the grace of keeping a George Costanza-like wallet did I actually find such a receipt.)

I remember shouting at the person on the phone, "I want LESS security, NOT MORE!!!"
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
10/30/2013 | 8:18:52 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
The problem is that two factor authentication mechanisms insist on using a smartphone. There are plenty of other alternatives such as PC, tablet, landline, or even snail mail plus authentication questions that the user creates and, of course, answers. I would never use the "Name of first pet" question because I did not have pets growing up and many of the other questions do not allow for the correct answers because for me they include special characters that US designed systems are too dumb to handle.
That all was to be solved with the backup codes and I think it is a goo approach. If users are too careless to take care of the backup then oh well, they are out of luck. In the end this is just a Twitter account...who needs Twitter anyway?
Byurcan
50%
50%
Byurcan,
User Rank: Apprentice
10/30/2013 | 12:07:28 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Interesting story, and a word of warning. This will definitely remind me to save my backup codes where I absolutely will remember.
Aroper-VEC
50%
50%
Aroper-VEC,
User Rank: Strategist
10/29/2013 | 4:55:54 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Whether it's good or bad, it's better than not having it. That being said, Twitter does warn you to print it out and save it in a safe place. Security is not just the vendor's responsibility. Diligence on the part of the end user is paramount.

I totally agree that the system needs some tweaking, enhancement, and overall revamping but, in the meantime, save that backup code in a safe place!
howardgr
50%
50%
howardgr,
User Rank: Apprentice
10/29/2013 | 4:54:52 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Good piece, Matthew. I recommend that Twitter do as you suggest, and provide a more complete 2 factor offering. I'm off to find where my 2nd code is now...
wht
50%
50%
wht,
User Rank: Strategist
10/29/2013 | 4:50:39 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Is Twitter run by twits? I have never encountered a lockout like his after years of using multiple websites with passwords and 2 factor protection. In every case it was not that difficult to establish my identity, with or without a support call, and re-establish access the same day or the next day.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
10/29/2013 | 1:35:03 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
I find myself much more fearful of a security system that could lock me out of my account than I am of any intruder.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.