Responding to a wave of high-profile account takeovers in recent months, Twitter has implemented a phone-based two-factor authentication scheme that will require a numerical code along with a username and password when users log in to their accounts. The feature, known as login verification, is similar to one used by Google in its Gmail service.
The new security feature comes at a time when attackers are having a field day with account takeover attacks against prominent Twitter users. In the last few months, attackers have compromised the accounts of the Associated Press and The Onion, the satirical U.S. news site, among others. Twitter’s login verification is designed to help prevent these takeovers by requiring an extra piece of information when a user logs into her account on a new device or application.
In order to enable the feature, a user can go to the Settings feature on their account page and then select the box that says “Require a verification code when I sign in”. The click on the link to add a phone to the account. Once the user adds a phone, she will need to enter a six-digit one-time password each time she signs in to Twitter.
“With login verification enabled, your existing applications will continue to work without disruption. If you need to sign in to your Twitter account on other devices or apps, visit your applications page to generate a temporary password to log in and authorize that application,” Jim O’Leary of the Twitter product security team wrote in a blog post.
“This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers). However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future.”
Google has had a similar two-factor authentication system for Gmail in place for several years now. Gmail users can enable the feature in their account settings and then either use a mobile app to generate the one-time codes or have them sent via text or over a voice call. In March, Apple added two-factor authentication for iTunes accounts, using much the same kind of system.