Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

New Twitter Two-Factor Authentication says bye to SMS - fixedByVonnie

New Twitter Two-Factor Authentication says bye to SMS

Today @jimio from Twitter’s Product Security team announced a new Droid and iOS update that let’s you approve login requests right from the mobile App.  There’s no need to uses traditional text message verification which requires a valid phone number and messaging plan.

This update improves the security of the Twitter app because whenever you make a login request you’ll get browser details about the approximate location of the App that initiated the request.  Therefore; if you see requests coming from India but you live in New York, you can easily identify possible phishing attacks.

In this article, I’ll talk about the old way Twitter does Two-Factor Authentication.  Then I’ll explain with the new way and I’ll wrap up with a technical summary about how it works.

Twitter Two Factor: The Old Way

The old SMS method of Twitter Two-factor Authentication was laborious.  Y

To get started, you have to login into Twitter from your Web Browser and open Settings

Twitter Settings

Scroll down to Login Verification and click OK, send me a message.

Twitter Login Verification

After authorizing Twitter to send the SMS to your phone it’ll chime or vibrate with a confirmation message.

Twitter Login Verification using Android


Twitter Login Verification

Click Yes to the confirmation message then login to your account again.

Twitter Two Factor Authentication Verification


That was the old, circuitous mode of using text message verifications for two factor authentication.  It’s old. It’s antiquated and arguably less secure.

Twitter Two Factor: The New Way

The new way is to update your Twitter App.  I have a Samsung Galaxy S4 so I use Google Play; however, the update is also available for Apple iOS devices.

Twitter Two Factor App Update

From the Me section of your newly updated Twitter App, tap the little cog under your tweet count and touch Settings.

Twitter App Settings

Select your Account

Twitter App Account Selection

Scroll down and touch the Security option

Twitter App Account Security

Tap login verification and tap OK to complete the SMS-less verification setup process.

Now the App will generate a backup code that you can use to access your account if you lose a data connection or your phone.  Make sure you write this down and store it in a secure location.

And that’s it.  Goodbye SMS verification.  You can read the official announcement on Twitter’s blog.

Twitter Login Verification

How it Works

The purpose of this new authentication system was to provide an alternative to relying on SMS codes.

When you enroll with the mobile App, it generates a 2048bit RSA private and public key.

The private key resides on your phone but the public key gets sent to Twitter’s servers.

Whenever someone tries to login to Twitter with your username and password, Twitter sends a challenge to the mobile App based on a 190bit, 32 character  cryptographic nonce.

A nonce is a random number that used only once in cryptographic communication.  It basically makes Replay Attacks impossible because the cryptokey is different on each authentication attempt.

You’ll see a notification that displays the time, location, and browser linked to the login attempt.  You can then approve the request if you trust the source or reject it if the source is unknown or suspicious.  If approved, the App responds to the 190bit, 32 character nonce with its private key.

Next, the server checks to see if that key matches a request ID, if so it authenticates and signs you in.

Why I like It

The nice thing about all this is that it avoids text messages for verification. SMS is an inherently vulnerable protocol because there are no passwords or permissions; there’s no protection.  I highly suggest that you enable the new Two-Factor authentication so you can benefit from the increased protection right away.

Let me know if you’ve encountered any difficulties with it in the comments below.


Connect with Vonnie on Twitter

Posted in Mobile, News, Security Tagged with: