I love Two-Factor authentications. In a nutshell, it uses two things to authenticate you (log you in). It uses something you know (a password) and something you have (usually your phone). That way, if someone figures out your password (shame on you for using your kids/pets names) they still can’t login because they need the 2nd factor. Twitter rolled out an SMS-based two-factor several months ago that would send you a text message with the security code, but they’ve just released an update to that program and are now using their app.

Twitter for iOS and Android updates let you enroll in login verification and approve login requests directly from your mobile app

Twitter’s Blog has the full details here, and the instructions on setting it up are pretty easy.

  • From the Me tab in the Twitter application, open Settings and then tap Security (Android users: you’ll need to tap your name before you can select Security)
  • Turn on Login verification
  • Store the generated backup code in a safe place. You will need to use this code if you need to access your account when you don’t have your phone.
  • After you enroll in login verification, you’ll use the Twitter application to approve requests each time you sign in to twitter.com with your username and password.

Wired’s article on the new Two-Factor authentication has some more details on what goes on behind the scenes. You can read the full text here:

The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.

When Twitter receives a new login request with a username and password, the server sends a challenge based on a 190-bit, 32 character random nonce, to the mobile app — along with a notification that gives the user the time, location, and browser information associated with the login request. The user can then opt to approve or deny this login request. If approved, the app replies to a challenge with its private key, relays that information back to the server. The server compares that challenge with a request ID, and if it authenticates, the user is automatically logged in.

The backup key uses a neat system as well. They take a key and hash it 10,000 times. Yes, that’s ten thousand. The 10,000th hash is stored on Twitter’s server and you are displayed hash # 9,999. If you need to use the backup code you send it to Twitter who hashes it once and it should match the 10,000th hash that they’ve stored. If so, you are allowed in, they store the 9,999th hash and you are displayed hash # 9,998. This process repeats until you have used up all 10,000 hashes. Hopefully…. this doesn’t happen too often.

All in all I like the new system. My only, very minor, gripe is that I am forced to use their Twitter app. I don’t use it much because it doesn’t work as well to me as some other 3rd party apps (Falcon, Carbon, Hootsuite to name a few) and now i definitely have to keep a copy of the official Twitter app on my phone. I would rather use Google’s Auth app which handles several different accounts for me already. But at the end of the day that’s a very minor inconvenience for some much needed security.