Remember how Apple – after a major security hole let attackers reset your Apple ID password using only your email address and date of birth – has enabled two-step authentication for Apple ID accounts? You’d be forgiven for thinking that every popular web service out there has by now adopted heightened security features, but that’s not really the case.
Google, for example, last year enabled two-step process for Google Accounts, with Dropbox following suit a few months later. Today, micro-blogging platform Twitter joined the fray with its own version of two-step verification designed to keep the bad guys out of your account.
You should enable it immediately and iDB, as always, has you covered with a handy tutorial on that…
“We occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the web,” product security team member Jim O’Leary wrote in a blog post.
At its core, two-step verification combines something you know (your account password) with something you own (a mobile phone) in order to make it really, really hard – if not impossible – for attackers to hack your account.
Provided your Twitter account has a confirmed email address and a verified phone number, you can – and should – enable two-step authentication right now, by following these fours easy steps:
- log in to Twitter and visit your account settings page at twitter.com/account/settings
- tick the “Require a verification code when I sign in” checkbox
- this feature requires a mobile phone number so click on the link to “add a phone” right below and follow the prompts
From now on, each time you sign in to Twitter’s web interface, you’ll have to enter a six-digit code that gets sent to your phone via SMS. They also made a little video explaining how to enroll your Twitter account into two-step verification.
The solution, unfortunately, isn’t perfect.
For starters, this being SMS-based login verification entails a major drawback: unless Twitter supports your country/carrier, you won’t be able to add a phone number to protect your account.
Twitter acknowledges as much:
This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification, which may not work with some cell phone providers.
The problem is, Twitter only supports a limited number of carriers in an even shorter list of countries, leaving the bulk of its user base without heightened security features.
I’m glad Twitter rolled out 2-step auth but I wish they let me use the Android Authenticator app like Google and Dropbox
— Romain Guy (@romainguy) May 22, 2013
The Authenticator app can securely create passcodes that two-step verification systems by the likes of Google and Dropbox normally send via text messaging. This can be quite handy in situations when for whatever reasons texts don’t reach your phone.
Although enabling two-step verification won’t affect your existing Twitter applications, keep in mind that signing in to your Twitter account on other device or app requires visiting your applications page in order to generate a temporary password to log in and authorize that application, Twitter explains.
With this change in place, we’ll hopefully see fewer high-profile hacks of Twitter accounts belonging not just to celebrities and established media outlets (the Financial Times, the Guardian and the Associated Press come to mind), but to us, “ordinary” users.
Will you be taking advantage of Twitter’s two-step verification?