top of page

Twitter Implements Non-SMS based Two-Factor Authentication

Twitter joins Google and Facebook as another internet titan that offers more security conscious consumers the ability to use two-factor authentication. They have offered this via SMS text messages before, but have recently implemented a new method that doesn’t require the consumer to receive a text message. Depending on the potential success or shortcomings of this 2FA method, it could become something more organizations implement.

It is a common and accepted fact in the eCommerce and security industries that passwords are inherently weak and insecure authentication mechanisms. Many organizations and industry experts have discussed stronger alternatives such as passphrases, dynamic and one-time passwords (OTPs), two-factor authentication, biometrics and others. But each of these suffers from their own set of issues. When left to choose their own, consumers tend to create weak passphrases. Two-factor authentication and one-time passwords add an additional step in the login or checkout process which can adversely impact conversion. IBM predicts biometrics will one day replace passwords, but due to prohibitive costs this is unlikely to be adopted on a mass scale anytime soon.

Two-factor authentication usually requires an additional step from the consumer, such as receiving a code via email or text message and supplying that code. It is more accepted in certain in industries, like online banking, but can be a barrier to sales conversion for others, like eCommerce retail. Twitter, Facebook, Google and others have offered two-factor authentication via SMS text messages, which could lead to consumers being more willing and accepting of the extra steps required with two-factor authentication. But Twitter has also recently launched a new way of accomplishing this no longer requiring the user to receive and enter a one-time use code.

With Twitters new two-factor authentication implementation, when users login to their accounts from the web a push notification requiring approval is sent to the users mobile device via the Twitter app for iOS or Android. While this still comes through the phone it does not require the user enter a code, rather they have the option to approve or deny the login via the notification. The login attempt notification includes the user login attempt time, location and browser information. Each time a user attempts login Twitter generates a new and random request ID, meanwhile the user has a private key stored locally on their device. When they approve the login attempt the private key is confirmed as belonging to that user’s device and matching the request ID.

This method is easier and simpler for the consumer than providing a random code provided via SMS, but is not without issues of its own. It requires the user to have mobile internet access at the time the login notification is sent, that the user has the Twitter app and that they have an iOS or Android device. But organizations using a mobile app to send and receive login confirmations, whether it’s an existing one with other functions or a new one provided by the organization or a third-party specifically for this purpose, is something that could be utilized by other organizations. Many will be watching, and tweeting about, the pros and cons of this new voluntary two-factor authentication mechanism.


bottom of page