Not a tremendously compelling argument, and I think the company may come to regret the know-it-all tone of the post. Hubris is not what you want in a security platform company.
The author cites two "flaws":
1. Your phone is offline sometimes.
Twitter has a backup code mechanism that covers this case. They talk about it, right in the post.
2. An attacker can send verification requests that look exactly like yours.
The sole use case for this mechanism is to verify login attempts by the phone's owner in real-time. If a verification request comes in and you're not actually trying to log into Twitter, or if you see more than one, you know you're being attacked.
It's true if you share a login among multiple coworkers then you're vulnerable to being tricked. But that's a bad practice to begin with, and this 2-factor system is still a massive improvement in security even for that scenario.
While I agree that Twitter's mechanism addresses the vast majority of potential attacks against a person's Twitter account (which would almost always be remote), it's not hard to imagine a scenario like Authy describes.
Imagine you're at work, logging in to a two-factor system. Now imagine your attacker is sitting 15 feet away from you. All the attacker needs to do is wait for you to attempt to login to the system before attempting to login himself.
When we have penetration tests run against us, this is exactly what is happening. We give the penetration tester a desk, a connection to the internal corporate network, and the same bare level of access we would give to a temporary contract employee.
And if you see multiple requests on your phone, you know it's an attack and you should reject both. The criticism is basically "someone might see a bunch of requests and, not knowing which is theirs, approve them all." If someone is that foolish, you're already in trouble.
I agree except for the part about not caring about foolish users.
For me, it is more about asking yourself what approach will increase the overall security of a system. User adoption is a critical consideration. That is where Twitter's approach shines. It's something that is super easy to adopt, no numbers to type in, which means literally millions more users may adopt it. Authy is undervaluing that consideration.
Yes, this is vulnerable to
a) foolish users who approve duplicate requests and
b) have an attacker looking over their shoulder.
Neither TOTP (Google Authenticator) or Twitter factor in how easy it is to malware/root Android phones these days. I still prefer Yubikey or other opensource cards until the state of mobile security improves (for ex SEAndroid).
This is something I was thinking as well. I've got a Yubikey, and felt like there is a really good use case for a 'trusted' off phone device. I've pitched it a couple of times and the story gets either diverted into the "You can't solve the 'Identity' problem, it's the security equivalent of the halting problem." rat hole or the "Why would anyone care something around in addition to their phone?"
I explain the phone 'rooting' problem and it isn't perceived as a real issue yet (although perhaps it is getting there). In the mean time I have it on my shelf of "things I could build that at least 10 people I know would buy one of." :-)
My first experience with the new two-factor auth has been poor.
1. I sign into Twitter with my browser
2. My phone receives a push notification saying that I have a pending auth request.
3. So I click it and load the Twitter iOS app, and I see "You have no login requests" for that account, no matter how much I refresh it (it has been 10 minutes now).
4. Now I can't get into my Twitter account on the browser.
Did you update to version 5.9 of Twitter for iOS, released 8/6, featuring support for login verification? Maybe the notification should mention that requirement.
Or don't send a notification to that deviceToken until the user has installed the new version of the app and sync'd at least once. (Letting the server know the deviceToken points at the newer version of the app.)
Yep.. As I said, I can see the "Login Requests" page for that account and it says "No Pending Login Requests".. Plus I had to use the iOS app to set up and enable two-factor auth in the first place.
Would one possible solution be to show a random word on the screen and add that as part of the authentication request? This would allow it to pair up with what you currently see on the screen and keep it simple enough where IP address or other technical details aren't required to be known.
I like this idea, it's similar to what modern tablet and phones use for Bluetooth pairing: instead of asking to enter a number on the other device, they just ask you to check whether they match up.
I know Twitter did this (primarily) in response to the AP hacking, but I fail to see how this change is going to help organizations (say...news) with multiple people sharing an account for business purposes.
We want to secure with 2 factor here in our offices, but it involves giving 10 people the app and possibly getting spammed every time someone logs in. I realize they went for this approach rather than have your average user type in numbers but I can't help but feel confused by this move.
It is astounding to me how many companies who clearly want, welcome, and benefit from organizational users, fail to provide admin experience that works for organizations.
Why doesn't Twitter (and YouTube, also a terrible offender), simply allow multiple accounts to manage a corporate channel? Like Facebook does with Pages, or Google Analytics with profiles?
Instead we have to either share a single password among multiple people (not secure) or use third party apps like HootSuite (and now your security totally depends on that app, not Twitter).
There appears to be a (badly titled) menu item that takes you to the company site, but it's hidden beneath the "hamburger" icon, which inexplicably appears even when the web page is full-screen on my laptop but is replaced by real menus at small screen sizes.
This would prevent you from using twitter on a PC when your phone does not have internet connectivity. I.E. someone at an internet cafe in a foreign country.
It's possible to have computer Internet connectivity in an area with no cell phone reception. I go to a place like that about once a year at least, or so.
I thought his is one of the reasons they have backup keys which you can use when your phone is not reachable. I haven't actually tested the new system though.
I don't think they can be, as I don't have a Twitter account.
Certainly I would be pissed beyond belief if I tried to login to my bank (assuming they ever pull their heads out of their asses to support 2FA) and couldn't because I don't have cellular service in addition to Internet.
I already have this problem; both my bank and my credit union introduced 2FA but only with SMS. Once enabled, any attempt to log in using a not-yet-authorized browser or app is stalled until I get that text message. Presumably a call to customer service would sort it out eventually, but that prospect isn't terribly pleasant.
Every time I have to call customer support to reset a bank password it makes me realize how bad of a security hole most phone support is. Security through two-factor authentication is only as strong as the process for bypassing it.
Twitter? They solved the insecurity and instability in using their previous SMS solution, and they don't hold the key to the second factor of authorization, in the event their systems leak.
Not sure why there are complaints about it only working when the phone is online, since you can generate a backup code offline and use that. Your phone does not need internet access once you have set it up.
The author cites two "flaws":
1. Your phone is offline sometimes.
Twitter has a backup code mechanism that covers this case. They talk about it, right in the post.
2. An attacker can send verification requests that look exactly like yours.
The sole use case for this mechanism is to verify login attempts by the phone's owner in real-time. If a verification request comes in and you're not actually trying to log into Twitter, or if you see more than one, you know you're being attacked.
It's true if you share a login among multiple coworkers then you're vulnerable to being tricked. But that's a bad practice to begin with, and this 2-factor system is still a massive improvement in security even for that scenario.