New Twitter Two-Factor Authentication says bye to SMS

Today @jimio from Twitter’s Product Security team announced a new Droid and iOS update that let’s you approve login requests right from the mobile App.  There’s no need to uses traditional text message verification which requires a valid phone number and messaging plan.

This update improves the security of the Twitter app because whenever you make a login request you’ll get browser details about the approximate location of the App that initiated the request.  Therefore; if you see requests coming from India but you live in New York, you can easily identify possible phishing attacks.

In this article, I’ll talk about the old way Twitter does Two-Factor Authentication.  Then I’ll explain with the new way and I’ll wrap up with a technical summary about how it works.

Twitter Two Factor: The Old Way

The old SMS method of Twitter Two-factor Authentication was laborious.  Y

To get started, you have to login into Twitter from your Web Browser and open Settings

Twitter Settings

Scroll down to Login Verification and click OK, send me a message.

Twitter Login Verification

After authorizing Twitter to send the SMS to your phone it’ll chime or vibrate with a confirmation message.

Twitter Login Verification using Android


Twitter Login Verification

Click Yes to the confirmation message then login to your account again.

Twitter Two Factor Authentication Verification


That was the old, circuitous mode of using text message verifications for two factor authentication.  It’s old. It’s antiquated and arguably less secure.

Twitter Two Factor: The New Way

The new way is to update your Twitter App.  I have a Samsung Galaxy S4 so I use Google Play; however, the update is also available for Apple iOS devices.

Twitter Two Factor App Update

From the Me section of your newly updated Twitter App, tap the little cog under your tweet count and touch Settings.

Twitter App Settings

Select your Account

Twitter App Account Selection

Scroll down and touch the Security option

Twitter App Account Security

Tap login verification and tap OK to complete the SMS-less verification setup process.

Now the App will generate a backup code that you can use to access your account if you lose a data connection or your phone.  Make sure you write this down and store it in a secure location.

And that’s it.  Goodbye SMS verification.  You can read the official announcement on Twitter’s blog.

Twitter Login Verification

How it Works

The purpose of this new authentication system was to provide an alternative to relying on SMS codes.

When you enroll with the mobile App, it generates a 2048bit RSA private and public key.

The private key resides on your phone but the public key gets sent to Twitter’s servers.

Whenever someone tries to login to Twitter with your username and password, Twitter sends a challenge to the mobile App based on a 190bit, 32 character  cryptographic nonce.

A nonce is a random number that used only once in cryptographic communication.  It basically makes Replay Attacks impossible because the cryptokey is different on each authentication attempt.

You’ll see a notification that displays the time, location, and browser linked to the login attempt.  You can then approve the request if you trust the source or reject it if the source is unknown or suspicious.  If approved, the App responds to the 190bit, 32 character nonce with its private key.

Next, the server checks to see if that key matches a request ID, if so it authenticates and signs you in.

Why I like It

The nice thing about all this is that it avoids text messages for verification. SMS is an inherently vulnerable protocol because there are no passwords or permissions; there’s no protection.  I highly suggest that you enable the new Two-Factor authentication so you can benefit from the increased protection right away.

Let me know if you’ve encountered any difficulties with it in the comments below.


Connect with Vonnie on Twitter

Posted in Mobile, News, Security Tagged with: