Twitter’s use of two-factor authentication should be welcomed with open arms. Two-factor authentication makes it difficult for someone to hijack an account, by adding another method of validation. To date, a static password has been the only thing securing Twitter accounts, and all too often these are easy to guess.
It’s easy to see why Twitter has chosen to use SMS as the second authentication method. Nearly everyone today has a mobile phone, so this method doesn’t require people to carry around an extra token or device that generates the one-time passcode. Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers.
However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn’t require login credentials to be entered each time. This means that the same device is being used for both authentication factors and, if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication.
Also, it is possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code. We have already seen similar malware designed to steal mTAN numbers for banking transactions and examples include ZitMo (ZeuS-in-the-Mobile).