Following breaches, experts call for two-factor authentication on Twitter

Twitter should quickly join many other Internet companies such as Google in providing users with the option of two-factor authentication, experts say.

The call for changes in Twitter security followed news Wednesday of the compromise of the official account of Saudi Aramco, the national oil company of Saudi Arabia. Hackers replaced the company’s logo with the picture of Heath Ledger’s portrayal of “The Joker” in the 2008 Batman movie “The Dark Knight.” In addition, a series of tweets were sent to the oil company’s 46,000 followers, the security firm Sophos said.

“It is high time Twitter implement something to augment account security,” said Chester Wisniewski, a senior security adviser for Sophos. “Two-factor authentication would be a great option for protecting high-profile brands, celebrities and those who simply want that extra layer of security for their online identity.”

Twitter did not respond to a request for comment.

Twitter is behind other Internet companies in providing the option of requiring a second form of authentication when accessing the service from an unidentified device. Such security usually involves typing in a one-time passcode sent to a mobile phone.

Companies offering the added security include Facebook, Google, Dropbox, Microsoft, PayPal and Yahoo. Recently, Evernote said it would rush plans for two-factor authentication, after a breach forced the site to reset 50 million user passwords. 

Twitter has also suffered major compromises. Last month, “extremely sophisticated” hackers breached the microblogging site’s servers and stole the user names and encrypted/salted versions of passwords for 250,000 users, the company reported. 

[Also see: Cyberattacks, data breaches scare off investors, study says] 

Following the break in, Bob Lord, director of information security at Twitter, advised users that they should be using strong passwords of at least 10 characters as part of what the site called “good password hygiene.”

“Password hygiene, really?” said Rick Holland, an analyst for Forrester Research. “They didn’t even comment on two-factor authentication. Twitter users expect more out of Twitter.”

While two-factor authentication is not a silver bullet, it is a necessary step toward better security, Holland said. “I have to think that Twitter is working on rolling this out and want to ensure that the solution they deploy is scalable and secure.”

Indeed, Twitter recently had a full-time job posting for a software engineer with experience in designing and developing “user-facing security features, such as multifactor authentication and fraudulent login detection.”

Two-factor authentication is not easy to implement. Security firm Duo Security reported last month a serious flaw in Google’s two-step login process. The problem, which was fixed, stemmed from Google applying the feature across its many services. Such a broad undertaking is bound to have flaws.

“Coming up with a single, infrastructure-wide single sign-on platform is not a trivial task,” Jon Oberheide, co-founder and chief technology officer for Duo Security, said at the time.

Companies using social media should consider products and services available to monitor content for malicious activity, said Gartner analyst Andrew Walls. In addition, companies need to manage account access and activity, and have a plan for responding to a breach that includes the IT and legal staff, security pros, marketing and public relations.

“A robust authentication mechanism is one piece of the social media security puzzle,” Walls said. “Organizations should not expect public, consumer-oriented social media platforms to provide comprehensive social media security and risk management for enterprise users.”