For the past six years, I’ve worked in online marketing. As such, I have been the holder of ALL the keys to the social media accounts for many brands I have worked for and worked with in the Silicon Valley and beyond. My biggest nightmare as the holder of the keys is waking up in the morning to find my company on the frontpage of Mashable as the latest of the #brands (I mean that hashtag ironically) who had a social media account hacked via phishing, spearphishing, or something worse. To prevent the worst from happening, I’ve implemented a variety of multi-layered security strategies over the past few years to protect myself and my brand’s self to foil any attempts of account takeover.
Today, I logged in to my brand account to reconfigure one of these layers of security on Twitter. When I finally got to the spot in account settings where I can enable 2-factor authentication, however, I was informed that Twitter only allows use of 2factor authentication with one phone number.
Thanks, Twitter but no: THIS IS NOT OKAY.
Instead of using a strong implementation of 2-factor authentication that makes use of Time-based One-time Password Algorithm (TOTP), Twitter built it’s own version that will send a text message or send a push notification with a login code to your phone.
(Facebook does the same thing, and I will be yelling at them next ed. note: I was mistaken– Facebook allows for proper TOTP for 2-factor, carry on everyone.) For many, many reasons, this in-house implementation of 2-factor authentication is not okay– personally, I am all about that’s the kind where you use a QR code with Authy (my favorite, but I am biased) or Google Authenticator and the app generates a one-time use code– but by making it so that only one phone number can have can have 2-factor authentication, they’re putting me between a rock and a hard place when it comes to securing my personal and my business Twitter accounts.
As of right this minute the only options I have to secure my accounts are to:
- Turn off 2FA for my personal account so that I can use it for my brand account. This is not an option– I have had someone tried to gain access to my personal account in the past, and 2-factor authentication prevented full and total takeover. I should not have to choose between the security of my personal account and of my brand account, I should be able to secure both.
- Use a Google voice number for text message delivery of one-time login codes. This might work, except for that Google voice has its own security concerns, and isn’t something I am comfortable using to solve this issue for either account.
- Add a line to my current carrier plan for $10/month that allows a “dumbphone” to receive text messages with 2-factor authentication codes. To be secure, I should not have to spend $120+ a year and carry around a separate device in case I need access to a Twitter account.
Twitter’s botched, home-brewed implementation of 2-factor authentication puts users like me in a position where we have to choose between the security of our personal accounts and of our brand accounts, a decision we should never be forced to make. THAT IS NOT OKAY.
It’s even more disappointing that Twitter doesn’t allow for users to better control, manage and secure multiple accounts, especially given the number of social media agencies and teams who have to share this information to get their job done. Personally and professionally, I rely on solid implementations of 2-factor authentication to add an extra layer of security between me and potential attackers who really want to pwn my account (tl;dr, my company works with 1500+ hackers, and hackers like to play with accounts sometimes). This is also an unbelievably poor decision for users as properly done 2-factor authentication is particularly effective against phishing (and spearphishing) attacks, the most common method that groups like the Syrian Electronic Army use to take over a brand’s Twitter account(s).
As brands big and small, we are supposed to build “it” so that the followers we come. Which is great, except despite Twitter’s attempts to run after big brands for advertising money, there are few-to-no protections for the companies who add value to its platform– Google, Facebook and LinkedIn have figured out how to allow collaboration through managed account roles and they’ve allowed users to 2-factor auth that actually works, too. Whenever one of us gets hacked, we always hear the words “You should have used 2-factor authentication”– but how exactly are we supposed to do that when we are expected to personally and professionally to be active on social media, and we aren’t given the support we need to secure both identities?
The next time that you see a brand get hacked on Twitter, you don’t have to wonder why this keeps happening… when you’re given a choice between securing the place that you live or the place that you work, which would you choose first?