August 06, 2013, 4:47 PM — Twitter today simplified account security with an enhancement that lets customers approve two-factor authenticated log-ins from inside their iOS and Android mobile apps.
The move was reminiscent of Apple's earlier this year when it introduced two-factor authentication for customers' Apple IDs.
"Good stuff from Twitter," said Andrew Storms, senior director of development and operations at San Francisco-based CloudPassage, in an interview via instant message. "I like how they took it a step further, despite being slow to implement the initial two-factor compared to other big vendors."
Storms' "step further" was a reference to the in-app authentication Twitter introduced Tuesday. In May, the micro-blogging service rolled out a standard form of two-factor log-in that relied on text messages.
Two-factor authentication -- sometimes called two-step verification -- is a more demanding method of locking an account than a password-only process. In enterprises, for instance, two-factor uses hardware tokens that generate passcodes, which are valid for just moments and must be entered along with the usual password.
But Web services don't distribute tokens. Instead, they typically send a passcode to a mobile phone number the account owner has registered earlier. The passcode is usually sent as an SMS (short message service) text.
Starting today, Twitter users with the service's official Android or iOS apps on their smartphones or tablets will be able to approve the log-in without entering a string of numbers or having access to SMS. The latter is a big boon for people who rely on tablets.
"Not needing SMS means even users with tablets or those without phones can use two-factor, [people with an] iPod Touch, for example," said Storms. "I have to give Twitter the tip of the hat by taking this beyond SMS."
Unlike Twitter's improved two-step authentication, however, Apple's still requires users to enter a passcode.
Twitter also mimicked Apple in the use of a backup code, which is generated when users register for the optional two-factor authentication. The backup code can be used to access an account if the device with the Twitter app is stolen, lost or simply not within reach when logging onto the service's website from a desktop or notebook browser.
The San Francisco, Calif. company also warned users that some third-party apps may stumble with two-factor authentication engaged; Twitter's own TweetDeck on Windows and OS X is in the same boat. To log into those apps, users must generate a temporary password.
Twitter joined several other major technology companies, including Apple, LinkedIn and Microsoft, that rolled out two-factor authentication this year. Facebook and Google have offered secure log-ins since 2011.
After Twitter was hacked in February, it asked a quarter-million of its customers to reset passwords. Calls for Twitter to implement two-factor authentication got louder after that.
Future breaches won't give hackers anything to work with, at least for those who have opted to switch on two-step authentication, Twitter said today. "We chose a design that is resilient to a compromise of the server-side data's confidentiality: Twitter doesn't persistently store secrets, and the private key material needed for approving login requests never leaves your phone," said Alex Smolen, a Twitter security engineer, in a post to the company's blog.
Twitter has posted more information about the new in-app authentication that includes instructions on how to set up the feature.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.