Thursday, May 23, 2013

Why SMS 2FA Twitter, WHY?

Dear Twitter,

Congratulations on adding 2-factor authentication, or "login verification" as you have named the baby. It's way overdue imho. With me being 1) one of those critizizing you for being slow with introducing 2FA, and 2) one of those who can't get it quite yet (As Norway and all telcos here doesn't exist in your settings universe quite yet), I do have some questions for you.

Essentially my questions are already summarized elegantly by Sean Gallagher at arstechnica in this article.

My short list, with comments:

Why no one-time device/app type authentication/authorization?

This would be more user friendly, and similar to Google, Dropbox & Facebook, it would aidstandardizing both security & user experience across multiple services. Now you introduce something "new" in terms of security to your users.

Usability, Usability & Security Usability (where did they go?)

I'm afraid using SMS *every* time at logon will make lots of users stay away from using it, or stay permanently logged in. Neither one of those options are preferable if you ask me.

Protecting shared corporate accounts

@AP got hacked. Many others as well, but @AP really rocked the world, at least for 7 minutes. You know, just many of us paranoids do, that high-value, high-profile & high-target corporate accounts are shared between multiple users & employees. Wild guess: their passwords suck, and never gets changed. By deploying a SMS solution like you've done now, protecting such accounts using your SMS 2FA will be hard to do in real life. 

Guess what; end users want better security as long as it doesn't affect current usability.

Access to Twitter suddenly depends on SMS

As I wrote at the top, I'm in Norway. Norway isn't listed as a country yet in your settings, neither are any of the telcos here, so I can't enable login verification quite yet. If I loose my phone running a standardized TOTP authentication app, its my problem. If my telco cannot deliver your SMS in seconds, I won't login. then I won't use your service, and post to Facebook, G+ and Instagram instead. I guess you don't want that to happen?

So please, get me some more options

I'm a Twitter addict. I want better security, but preferably not at a great cost/loss of usability. What it looks like now, even before I've been able to configure login verification, I'm skeptical. I cheered when Dropbox introduced RFC6238 support, I enjoyed using my existing Google Authenticator app to handle it, I laughed when I discovered how to configure Facebook 2FA support into Authenticator, and of course I've got my SSH servers in there as well.

I'm sorry for lashing out at you earlier, if this SMS solution is what we get. It could be done better, and the solutions were already available out there.

Hoping for the best,
Per Thorsheim

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.