It just got tougher for malicious individuals to take over Twitter accounts. Today the microblogging giant is offering users a more robust two-factor authentication method to sign in to their accounts.
The new two-factor authentication is an application based verification, which basically means that it’s a system that provides a secure mechanism without having to rely on codes sent via SMS or other third-party solutions.
How Twitter’s new two-factor auth works?
With the new mechanism users can enroll by using a supported mobile app, which will generate a 2048-bit RSA key pair. This is a private key that is store in the phone and a public key then is sent to Twitter.
The next time a user tries to sign in, Twitter will send a challenge based on a 190-bit, 32 character code, to the mobile app. Then the user gets a notification to approve or deny the sign in request. If approved, the app will automatically reply to challenge with the private key stored in the phone. Twitter verifies the entire transaction and only then the user is granted to get access to the social service.
According to a new article on WIRED, Twitter wanted to implement “two-factor”, but the company didn’t want to follow everyone’s footsteps (e.g., Microsoft, Google, Apple, etc.). As a result the new secure verification does not require a phone number, users can backup codes generated by writing it down on a piece of paper and storing it in a safe place (users can even use the code to access the social network from the web browser), and when new login request is made, users can verify and approve the request. Now you only need a the Twitter app and an internet connection.
Authenticate without a phone
If you don’t have your phone, the company has also a method to get around this scenario. Basically, you’ll need to use the backup code, which then is checked by Twitter’s servers and if the result matches, you’ll be able to sign in.
To make the backup code work without sharing secrets, we use an algorithm inspired by S/KEY. During enrollment, your phone generates a 64-bit random seed, SHA256 hashes it 10,000 times, and turns it into a 60-bit (12 characters of readable base32) string. It sends this string to our servers. The phone then asks you to write down the next backup code, which is the same seed hashed 9,999 times. Later, when you send us the backup code to sign in, we hash it one time, and then verify that the resulting value matches the value we initially stored. Then, we store the value you sent us, and the next time you generate a backup code it will hash the seed 9,998 times. — Twitter details.
Instructions
To configure the new verification system in your Twitter account follow these step-by-step instructions:
1. Make sure you have installed the latest version of Twitter mobile app.
2. From the Me tab, open Settings and choose Security (Android users have to tap their name before selecting Security and users using a web browser simply need to scroll down on the Settings page and continue on the next step).
3. Enable Login verification.
4. Write down the generated backup code and store safely.
5. After you’re enrolled, you can use the Twitter app to approve or deny sign in requests from one or all your accounts.
The new end-to-end secure verification system is available today. Twitter is already pushing a new update to support the two-step authentication mechanism for Android and iOS, but sadly Windows Phone users will have to wait a bit longer. Also keep in mind that this new way to sign in to the social network is not a replacement to the already SMS-based login verification released back in May, it is just a new addition.
Source Twitter