For the past six years, I’ve worked in online marketing. As such, I have been the holder of ALL the keys to the social media accounts for many brands I have worked for and worked with in the Silicon Valley and beyond. My biggest nightmare as the holder of the keys is waking up in the morning to find my company on the frontpage of Mashable as the latest of the #brands (I mean that hashtag ironically) who had a social media account hacked via phishing, spearphishing, or something worse. To prevent the worst from happening, I’ve implemented a variety of multi-layered security strategies over the past few years to protect myself and my brand’s self to foil any attempts of account takeover.
Today, I logged in to my brand account to reconfigure one of these layers of security on Twitter. When I finally got to the spot in account settings where I can enable 2-factor authentication, however, I was informed that Twitter only allows use of 2factor authentication with one phone number.
Thanks, Twitter but no: THIS IS NOT OKAY.
Instead of using a strong implementation of 2-factor authentication that makes use of Time-based One-time Password Algorithm (TOTP), Twitter built it’s own version that will send a text message or send a push notification with a login code to your phone. (Facebook does the same thing, and I will be yelling at them next ed. note: I was mistaken– Facebook allows for proper TOTP for 2-factor, carry on everyone.) For many, many reasons, this in-house implementation of 2-factor authentication is not okay– personally, I am all about that’s the kind where you use a QR code with Authy (my favorite, but I am biased) or Google Authenticator and the app generates a one-time use code– but by making it so that only one phone number can have can have 2-factor authentication, they’re putting me between a rock and a hard place when it comes to securing my personal and my business Twitter accounts.
As of right this minute the only options I have to secure my accounts are to:
- Turn off 2FA for my personal account so that I can use it for my brand account. This is not an option– I have had someone tried to gain access to my personal account in the past, and 2-factor authentication prevented full and total takeover. I should not have to choose between the security of my personal account and of my brand account, I should be able to secure both.
- Use a Google voice number for text message delivery of one-time login codes. This might work, except for that Google voice has its own security concerns, and isn’t something I am comfortable using to solve this issue for either account.
- Add a line to my current carrier plan for $10/month that allows a “dumbphone” to receive text messages with 2-factor authentication codes. To be secure, I should not have to spend $120+ a year and carry around a separate device in case I need access to a Twitter account.
Twitter’s botched, home-brewed implementation of 2-factor authentication puts users like me in a position where we have to choose between the security of our personal accounts and of our brand accounts, a decision we should never be forced to make. THAT IS NOT OKAY.
It’s even more disappointing that Twitter doesn’t allow for users to better control, manage and secure multiple accounts, especially given the number of social media agencies and teams who have to share this information to get their job done. Personally and professionally, I rely on solid implementations of 2-factor authentication to add an extra layer of security between me and potential attackers who really want to pwn my account (tl;dr, my company works with 1500+ hackers, and hackers like to play with accounts sometimes). This is also an unbelievably poor decision for users as properly done 2-factor authentication is particularly effective against phishing (and spearphishing) attacks, the most common method that groups like the Syrian Electronic Army use to take over a brand’s Twitter account(s).
As brands big and small, we are supposed to build “it” so that the followers we come. Which is great, except despite Twitter’s attempts to run after big brands for advertising money, there are few-to-no protections for the companies who add value to its platform– Google, Facebook and LinkedIn have figured out how to allow collaboration through managed account roles and they’ve allowed users to 2-factor auth that actually works, too. Whenever one of us gets hacked, we always hear the words “You should have used 2-factor authentication”– but how exactly are we supposed to do that when we are expected to personally and professionally to be active on social media, and we aren’t given the support we need to secure both identities?
The next time that you see a brand get hacked on Twitter, you don’t have to wonder why this keeps happening… when you’re given a choice between securing the place that you live or the place that you work, which would you choose first?
jessysaurusrex 
Nice post. I share your frustration and agree that it would be very helpful for Twitter to support TOTP as an option for 2-factor authentication. For companies, it is extremely unhelpful when services only provide two-factor auth via SMS or a single phone number. (Fortunately, in my case, I can just use Twitter’s proprietary two-factor auth since I don’t share access to Twitter with anyone else.)
I was wondering if you could elaborate on your security concerns regarding Google Voice. In some respects, Google Voice seems more secure than wireless phone companies. With Google, a user can create an account with solid security (i.e., TOTP two-factor auth and no backdoors to gain entry or password reset by knowing the user’s mother’s maiden name, SSN, credit card number, etc.). Conversely, if a hacker discovered someone’s DOB, SSN, billing address, and credit card number, how many cell phone companies would deny a password reset request. My guess is not many. To me, it seems that using a Google Voice number to receive two-factor codes may not be worse than receiving the codes by SMS to a normal cell phone. You could setup a dedicated Google account with one or more Google Voice numbers for use only to receive two-factor auth codes, and then secure access to that Google account with TOTP two-factor auth. Of course, for security and usability reasons, using an offline TOTP app is preferable to receiving codes via SMS. And this approach would certainly be an annoying work around, but it would be cheaper than having a dedicated dumbphone and would be easier to share access with multiple users.
I am also curious what your thoughts are on using a third party service that supports TOTP (e.g., Hootsuite: https://help.hootsuite.com/entries/22527304-Manage-Google-Authenticator) to manage Twitter accounts. It’s not ideal, certainly, but that would provide two-factor auth that is multi-user friendly. And the Twitter account could either (1) have a long, random password that nobody uses after the account is connected to Hootsuite, or (2) use Twitter’s two-factor auth via the Twitter app, which nobody would ever need to use except in rare cases when something needs to be done with the account that can’t be done with Hootsuite. (I don’t have any affiliation with Hootsuite–it’s just an example that I am somewhat familiar with.)
–@TechLawGuru
Well said Jessy. I have been trying to tighten security for a while and two-step verification is something I use wherever I can. Currently anyone with more Twitter accounts than mobile phones is out of the picture in regards to security.
I’ve spent the past few hours trying to find a work round. I came to exactly the same potential solutions and to the same conclusions about those solutions as you.
Twitter are not taking security seriously at all. At one stage they had made a mistake with their user interface that allowed people to use the same phone. However they stopped this it seems.
Your article cheered me up. At least I’m not alone on this.
All the best
Mike
This rant was just going on in my head. It is an archaic implementation that will only result in people removing 2-factor. Sad.