Twitter Two-Factor Lockout: One User's Horror Story - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Mobile & Wireless
Commentary
10/28/2013
08:11 PM
50%
50%

Twitter Two-Factor Lockout: One User's Horror Story

Is the security payoff from using Twitter's two-factor authentication system worth the risk of losing account access?

 10 IT Leaders You Should Follow On Twitter
10 IT Leaders You Should Follow On Twitter
(click image for larger view)
Warning to users of Twitter's two-factor authentication system: Never, ever misplace your backup access code and then switch phones. Otherwise, you'll find yourself locked out of your Twitter account.

That's the situation that an InformationWeek reader who goes by the handle "Infidel" found himself in, after he upgraded from a Motorola Droid Razr to a Moto X. Because he had enabled Twitter's two-factor authentication system -- dubbed "login verification" -- the switch to the new phone resulted in the loss of a security token required to verify his device.

When first configuring Twitter login verification, a user receives one or more backup codes to use in lieu of a smartphone, but Infidel misplaced his. As a result, he was blocked from being able to use the Twitter For Android app, or Twitter.com, to access his account, which over the course of 14 months had amassed about 1,500 followers.

On the upside, Infidel had previously used a one-time code generated by Twitter to authenticate Tweetdeck on his PC, meaning he could still post tweets and send direct messages because the software was using its own, unique authentication token, which wasn't tied to his smartphone. But after two months -- and filing a dozen requests for help -- Twitter's support team failed to respond to Infidel, thus leaving his smartphone and Twitter.com access in limbo and making him wonder if he should just reboot his Twitter presence using a new handle.

[ Love the tube as much as Twitter? Read Twitter Becomes TV Remote. ]

As Infidel's experience demonstrates, usability concerns continue to dog Twitter's login verification feature, which was introduced after the Syrian Electronic Army hacked an Associated Press Twitter feed in April to post a hoax message. Come August, Twitter overhauled the system with new features, making it a bit more user-friendly.

Here's how it works: Today, for any account for which the system is enabled, whenever a user enters the correct username and password, Twitter sends a one-time code to the registered smartphone, together with the time of the request, approximate geographic location of the requestor and browser used. Once the user enters the one-time code into the Twitter.com log-in page, he gains access.

What happened to Infidel? By changing to a different phone, even though his phone number remained the same, the new smartphone no longer had the private key -- one half of an asymmetric 2048-bit RSA keypair -- that Twitter generated and stored there when he set up login verification. As a result, the smartphone no longer functioned as a second factor, for logging in. When Infidel tried to reset his password, that likewise failed, as he would end up in a never-ending loop: The Twitter For Android app redirected him to the website to obtain a temporary password, which sent him back to the Android app to get a temporary password.

Twitter's failsafe for these situations is that when a user activates login verification -- or logs in any time thereafter, provided he has access to his account -- he can generate up to five backup codes. "Be sure to use the codes in the order in which you generated them; using a code out of order will invalidate all previously generated codes," warns Twitter's login verification help page.

But Infidel couldn't find his code. "I'm usually pretty fastidious about stuff like that but I simply can't locate the image that I saved with the code on it," he said via email. "That said, I also don't think that it should be a fatal error, and I think that Twitter's lack of response to requests for support is sub-par."

"I just can't believe there's no provision for gaining access in the event of a lost backup code," he said.

Infidel's experience highlights the lightweight nature of Twitter's homebuilt two-factor system, which security experts have recommended avoiding. The design isn't surprising, given Twitter's iterative, "we build it ourselves" design ethos.

Twitter's two-factor options look paltry compared to other two-factor authentication systems. With Google, for example, if users lose their phone -- and backup codes -- after activating two-factor authentication, they can still deactivate two-factor authentication after signing in from a trusted computer. Or from the Google log-in screen, they can have more one-time access codes sent to a previously designated backup phone, or have their smartphone number called and a voicemail left with the code, which is handy if they still have access to voicemail. If those automatic options fail to work, users can still fill in an account-recovery form.

When contacted about Infidel's ongoing access problems, a Twitter spokeswoman stepped in, and in short order he reported that Twitter had created a trouble ticket, verified his identity and disabled the two-step verification on his account, thus letting him log in again from a browser. Problem solved. But why had his requests for help fallen through the cracks for two months? The Twitter spokeswoman declined to respond to that follow-up question.

Going forward, here's a polite request for Twitter's security developers: Please give users more ways to regain access to their account, should their phone go missing -- or get upgraded -- and they lose their backup codes. Until Twitter introduces better recovery features, users should think twice before activating login verification.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
10/31/2013 | 1:43:55 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
My Twitter account is not desperately important to me, for that matter.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
10/31/2013 | 1:40:47 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Reminds me of a time I was in rural New Hampshire, had exactly $1 on me, and went to an ATM -- only to find that my card wasn't working. As I spent 45 minutes on the phone with my bank, they were insistent that I give them proof of one of three recent transactions via information from a receipt. (Only by the grace of keeping a George Costanza-like wallet did I actually find such a receipt.)

I remember shouting at the person on the phone, "I want LESS security, NOT MORE!!!"
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
10/30/2013 | 8:18:52 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
The problem is that two factor authentication mechanisms insist on using a smartphone. There are plenty of other alternatives such as PC, tablet, landline, or even snail mail plus authentication questions that the user creates and, of course, answers. I would never use the "Name of first pet" question because I did not have pets growing up and many of the other questions do not allow for the correct answers because for me they include special characters that US designed systems are too dumb to handle.
That all was to be solved with the backup codes and I think it is a goo approach. If users are too careless to take care of the backup then oh well, they are out of luck. In the end this is just a Twitter account...who needs Twitter anyway?
Byurcan
50%
50%
Byurcan,
User Rank: Apprentice
10/30/2013 | 12:07:28 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Interesting story, and a word of warning. This will definitely remind me to save my backup codes where I absolutely will remember.
Aroper-VEC
50%
50%
Aroper-VEC,
User Rank: Strategist
10/29/2013 | 4:55:54 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Whether it's good or bad, it's better than not having it. That being said, Twitter does warn you to print it out and save it in a safe place. Security is not just the vendor's responsibility. Diligence on the part of the end user is paramount.

I totally agree that the system needs some tweaking, enhancement, and overall revamping but, in the meantime, save that backup code in a safe place!
howardgr
50%
50%
howardgr,
User Rank: Apprentice
10/29/2013 | 4:54:52 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Good piece, Matthew. I recommend that Twitter do as you suggest, and provide a more complete 2 factor offering. I'm off to find where my 2nd code is now...
wht
50%
50%
wht,
User Rank: Strategist
10/29/2013 | 4:50:39 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
Is Twitter run by twits? I have never encountered a lockout like his after years of using multiple websites with passwords and 2 factor protection. In every case it was not that difficult to establish my identity, with or without a support call, and re-establish access the same day or the next day.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
10/29/2013 | 1:35:03 PM
re: Twitter Two-Factor Lockout: One User's Horror Story
I find myself much more fearful of a security system that could lock me out of my account than I am of any intruder.
News
Data Science Salary Survey Reveals Market Shift
Jessica Davis, Senior Editor, Enterprise Apps,  6/27/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Slideshows
How to Land a Job in Cloud Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/19/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll