I think this is just illustrating precisely the point of two-factor authentication, which is defense in depth. Right now, you have one factor which means that anything that compromises that factor compromises you, and who knows what bizarre attacks someone can land once they've started penetrating your defenses. By publishing your password, you're going back down to a single factor (and in some ways it's worse than that, because who knows what security policies are in place for most services - having half of a two-factor pair here has clearly been interpreted as being someone "more authenticated" than having NONE of a single factor).
That said, I would love it if the default single factor authentication method were public keys rather than passwords. I get how impractical that is with people constantly trying to access things in some device-independent way, but I fantasize about a world where everyone carries around a cheap hardware authentication module that just negotiates the cryptographic part of SSL handshakes as the primary authentication factor (with passwords and biometrics as secondary and tertiary factors as desired). Sure would be nice if the only thing that could be leaked after a data breach was your public key.
> a world where everyone carries around a cheap hardware authentication module
There are moves towards such a future with U2F / UAF (Fido) and Yubikeys (a U2F version is meant to be released this year). I know it won't roll out exactly as planned, but I'm still excited by the tech.
I think two factor authentification is just an excuse to confirm your real identity, as it is much harder to obtain a fake phone number compared to a fake email address. I bet internally someone using two factor authentification is seen as more valuable to advertisers, since the phone number can probably be tied to a credit card record and other information collected by banks and other large real world companies. To 95% of twitter users it would probably be completely inconsequential if their account were compromised, just create a new one an let all your friends know.
And to the last 5% that use the "Log in with Twitter" buttons in order to avoid creating another (probably weak) password, 2-factor is invaluable since it protects not just our twitter network but any accounts that it has been linked to.
The article mentions using Google Authenticator but I'd recommend Duo (Duo Mobile on Android) as it lets you reorganize your accounts, assign icons to various accounts, and only shows the token you care about via expanding with a much larger font. Once I passed around 6 two-factor accounts Google Authenticator became too hard to use.
Lots of good points there, but this seemed a bit odd: "...it’s worth managing your passwords, as inconvenient as that can be." Personally I find it much more convenient to use a password manager than to try to remember what username (or was it an email address?) and password I used for every obscure thing I've ever had to log into. Even if you tried to use the same password for everything, completely ignoring how bad an idea that would be, I think a good password manager would still be more convenient, since there are often restrictions on usernames and passwords that prevent you from using the same thing. (For example, my bank boneheadedly requires an alphanumeric password of exactly 6 characters...)
I really hate Twitter's TFA approach and have it disabled for security reasons. Primarily, if someone gets access to your cellphone network account (Sprint, ATT, etc.) they can receive texts on your behalf. So if your Twitter password happens to be the same as your ATT password, you're out of luck. I only use two factor authentication if I can add it to my Authenticator app and save the code/QR code somewhere offline. Everything else is just too complex to be secure.
> So if your Twitter password happens to be the same as your ATT password, you're out of luck.
Why would you have both passwords be the same? That makes no sense. All passwords should be different.
> I only use two factor authentication if I can add it to my Authenticator app and save the code/QR code somewhere offline. Everything else is just too complex to be secure.
TOTP based two-factor auth (e.g. Google Authenticator) is my preferred method as well though I'll still set up an alternative method if it's not available. For example Namecheap offers 2FA via SMS. While not preferred, it's better than nothing.
This may not be the ideal place to ask this but here it goes:
What about authenticating a logout? If someone is intercepting your communication, and you logout, how can you be sure that your logout has actually executed?
The "You have signed out" page could display a one-time code that should match a second set of seemingly randomly generated codes on your mobile phone.
I was completely shocked when I read this yesterday morning while drinking my morning coffee. The best outcome that could arise from the author disclosing his password is him receiving hundreds of texts that day. I understand the point he is making, but still a very risky move.
As long as his Twitter account was isolated[1], the only risk was losing control of his twitter account for a few days. And given the fact that he published an article previously saying that he was going to give away his password, I don't think that he would run into much trouble even if they used his twitter account for malicious purposes.
[1]This is, the twitter account wasn't being used to log into other services.
Good article. In both this and the previous articles, the author seemed to know what he was talking about, gave actual security advice, and ran an interesting experiment.
ISTR someone building a site out there that let you play with Google Authenticator on your own without messing with your Google account. Did I imagine that?
It should work, but some networks are really bad at delivering messages, dropping them or delaying them by hours.
As for charges, that may be a problem. But I have never seen international charges of over a dollar for a simple text. But I haven't been to really exotic locations.
I still use SMS for the second factor, it's way less secure, but I have it mostly to protect against opportunistic attacks, and having the second factor bound to a device that I will lose or kill with 100% certainty isn't a great solution for me.
My company makes this password manager: http://www.cloudentr.com/ Give it a try! You can secure all your passwords using your mobile phone as second factor of authentication.
I could not find any technical details from Gemalto besides this blurb, which doesn't inspire confidence:
"We encrypt your CloudEntr password with a cryptographic hash function – and make sure you’re the only one with the key. We also secure your web logins with AES-256 symmetric key encryption algorithm."
> But a glaring flaw in Twitter’s account-security system lets anyone who obtains your password learn whatever mobile-phone number you’ve associated with your Twitter account if you turned on a simple but highly effective security measure
So...I don't know what the "flaw" is...but it doesn't seem to me that the OP learned the biggest lesson of all about security: that pretty much everything is a tradeoff.
Granted, I'm having a hard time thinking why Twitter would feel the need to expose the phone-number at all to a user outside of his/her own account page, so I'm guessing that is some unintended bug. However, consider the situation: The OP gives away his password...Two-factor authentication never, ever meant "hey, it's just as strong as if you give away one of the factors"...I've never designed a security system before, but I'm guessing things would become very convoluted if security designers had to treat giving away your password -- as a public announcement and media figure -- as anything but an edge case. The inconvenience of 2-factor-authentication is meant to offset the problem of total compromise given the relatively frequent chance of getting phished. Twitter's flaw, as described, is likely not a main attack vector for phishers who are sending out thousands and thousands of emails and hoping to get turnkey access to someone's account...even if Twitter gives away the phone-number through some sort of exerted effort...that's unlikely to be the exerted effort used by mass phishers. It's a totally different security game when you're the target of thousands rather than one target among thousands.
(that said, Twitter should fix the flaw, unless there's some other dependency on having the phone number be accessible)
>So...I don't know what the "flaw" is...but it doesn't seem to me that the OP learned the biggest lesson of all about security: that pretty much everything is a tradeoff.
The flaw is side-channel data leakage about the authentication process and about the user data - they're revealing private information to someone who has not successfully authenticated. Just because the guy published his password doesn't mean it's not a flaw - if someone got his password from a compromised database they shouldn't be able to leverage that into finding out his phone number or anything else about him, if he's already arranged with Twitter (or any other service) to a protocol which basically says, "Don't believe anyone saying they are me unless they both know my password and have my phone."
Frankly, a well-designed 2FA system shouldn't even reveal whether or not you've successfully authenticated using one of the factors. For TOTP this is possible because you can enter in the username, password and TOTP code all at the same time (though it's rare to see this implementation). Even if TOTP is not enabled for most accounts, you'd still want to show the box and say, "Leave this blank if you don't have TOTP enabled". For this SMS-based second-factor, I'm not sure how to design it so that there are no side-channel attacks other than sending an SMS with an authentication token every single time, whether or not the password was entered correctly (which allows random people with your login to just randomly send you authentication spam).
x1798DE|11 years ago
That said, I would love it if the default single factor authentication method were public keys rather than passwords. I get how impractical that is with people constantly trying to access things in some device-independent way, but I fantasize about a world where everyone carries around a cheap hardware authentication module that just negotiates the cryptographic part of SSL handshakes as the primary authentication factor (with passwords and biometrics as secondary and tertiary factors as desired). Sure would be nice if the only thing that could be leaked after a data breach was your public key.
lotsofcows|11 years ago
You mean you don't have ssh-agent and Google Authenticator on your mobile 'phone?
rcaught|11 years ago
There are moves towards such a future with U2F / UAF (Fido) and Yubikeys (a U2F version is meant to be released this year). I know it won't roll out exactly as planned, but I'm still excited by the tech.
orbifold|11 years ago
oddevan|11 years ago
gmjosack|11 years ago
tyilo|11 years ago
tempestn|11 years ago
iLoch|11 years ago
sehrope|11 years ago
Why would you have both passwords be the same? That makes no sense. All passwords should be different.
> I only use two factor authentication if I can add it to my Authenticator app and save the code/QR code somewhere offline. Everything else is just too complex to be secure.
TOTP based two-factor auth (e.g. Google Authenticator) is my preferred method as well though I'll still set up an alternative method if it's not available. For example Namecheap offers 2FA via SMS. While not preferred, it's better than nothing.
Scoundreller|11 years ago
What about authenticating a logout? If someone is intercepting your communication, and you logout, how can you be sure that your logout has actually executed?
The "You have signed out" page could display a one-time code that should match a second set of seemingly randomly generated codes on your mobile phone.
kyle_t|11 years ago
josu|11 years ago
[1]This is, the twitter account wasn't being used to log into other services.
owenversteeg|11 years ago
EA|11 years ago
OP's Twitter account is only as secure at his cell phone service account.
danielweber|11 years ago
sweis|11 years ago
It used to generate a QR code for you to scan, but that's apparently broken.
tabrischen|11 years ago
kryptiskt|11 years ago
As for charges, that may be a problem. But I have never seen international charges of over a dollar for a simple text. But I haven't been to really exotic locations.
I still use SMS for the second factor, it's way less secure, but I have it mostly to protect against opportunistic attacks, and having the second factor bound to a device that I will lose or kill with 100% certainty isn't a great solution for me.
matthiasb|11 years ago
sweis|11 years ago
"We encrypt your CloudEntr password with a cryptographic hash function – and make sure you’re the only one with the key. We also secure your web logins with AES-256 symmetric key encryption algorithm."
danso|11 years ago
> But a glaring flaw in Twitter’s account-security system lets anyone who obtains your password learn whatever mobile-phone number you’ve associated with your Twitter account if you turned on a simple but highly effective security measure
So...I don't know what the "flaw" is...but it doesn't seem to me that the OP learned the biggest lesson of all about security: that pretty much everything is a tradeoff.
Granted, I'm having a hard time thinking why Twitter would feel the need to expose the phone-number at all to a user outside of his/her own account page, so I'm guessing that is some unintended bug. However, consider the situation: The OP gives away his password...Two-factor authentication never, ever meant "hey, it's just as strong as if you give away one of the factors"...I've never designed a security system before, but I'm guessing things would become very convoluted if security designers had to treat giving away your password -- as a public announcement and media figure -- as anything but an edge case. The inconvenience of 2-factor-authentication is meant to offset the problem of total compromise given the relatively frequent chance of getting phished. Twitter's flaw, as described, is likely not a main attack vector for phishers who are sending out thousands and thousands of emails and hoping to get turnkey access to someone's account...even if Twitter gives away the phone-number through some sort of exerted effort...that's unlikely to be the exerted effort used by mass phishers. It's a totally different security game when you're the target of thousands rather than one target among thousands.
(that said, Twitter should fix the flaw, unless there's some other dependency on having the phone number be accessible)
x1798DE|11 years ago
The flaw is side-channel data leakage about the authentication process and about the user data - they're revealing private information to someone who has not successfully authenticated. Just because the guy published his password doesn't mean it's not a flaw - if someone got his password from a compromised database they shouldn't be able to leverage that into finding out his phone number or anything else about him, if he's already arranged with Twitter (or any other service) to a protocol which basically says, "Don't believe anyone saying they are me unless they both know my password and have my phone."
Frankly, a well-designed 2FA system shouldn't even reveal whether or not you've successfully authenticated using one of the factors. For TOTP this is possible because you can enter in the username, password and TOTP code all at the same time (though it's rare to see this implementation). Even if TOTP is not enabled for most accounts, you'd still want to show the box and say, "Leave this blank if you don't have TOTP enabled". For this SMS-based second-factor, I'm not sure how to design it so that there are no side-channel attacks other than sending an SMS with an authentication token every single time, whether or not the password was entered correctly (which allows random people with your login to just randomly send you authentication spam).
edent|11 years ago
That's primarily to tell the user which phone to check - which isn't a bad thing.
They should probably fix it by saying "we've texted your 2FA code to the phone number ending 171" - or similar.
mhaymo|11 years ago