Twitter has made a couple of changes to the service’s login process to help prevent account takeovers and enable users to reset their passwords in a simpler way.
A Twitter account is among the more valuable assets for an attacker who is targeting a specific person. Accounts typically are tied to a user’s main email address and give an attacker access to the victim’s social sphere, and perhaps, other accounts. People are bad at remembering passwords, so they tend to reuse them across a number of different sites and services. Attackers know this, and realize if they can get access to a user’s Twitter account information, they may be able to reuse those credentials on other sites, as well.
With all of this in mind, the security team at Twitter has been making changes to the service’s login and authentication processes over the last couple of years, adding two-factor authentication and out-of-band options. The most recent changes, made Thursday, give users the option to choose how they recover their passwords, identifying which phone number or email address they want to use. This can be especially important if a user has lost her phone or no longer has access to an email account.
“The new process lets you choose the email address or phone number associated with your account where you’d like us to send your reset information. That way, whether you’ve recently changed your phone number, or are traveling with limited access to your devices, or had an old email address connected to your Twitter account, you’ve got options. We’ve also made it easier to reset a lost password on your iOS or Android device and have added some customized tips to help you strengthen your account security in the future,” Mollie Vandor of Twitter wrote in a blog post.
The company also has implemented a new behavioral system that’s designed to help identify account-takeover attempts. This is specifically related to the password-reuse problem, as well.
“To protect your account in this scenario we built a system that analyzes login attempts on your account — by looking at things like location, device being used and login history — and identifies suspicious behavior,” Vandor said.
“If we identify a login attempt as suspicious, we’ll ask you a simple question about your account — something that only you know — to verify that your account is secure before granting access. We’ll also send you an email to let you know that we’ve detected unusual activity so you can update your password if need be.”
Other high-value sites whose users are targeted often have implemented somewhat similar systems recently, as well. Google has a back-end behavioral analysis system for Gmail that identifies suspicious login attempts and also can flag account takeover attempts from state-sponsored attackers.