Twitter's Two-Factor Authentication System

Twitter just rolled out a pretty nice two-factor authentication system using your smart phone as the second factor:

The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.

When Twitter receives a new login request with a username and password, the server sends a challenge based on a 190-bit, 32 character random nonce, to the mobile app -- along with a notification that gives the user the time, location, and browser information associated with the login request. The user can then opt to approve or deny this login request. If approved, the app replies to a challenge with its private key, relays that information back to the server. The server compares that challenge with a request ID, and if it authenticates, the user is automatically logged in.

On the user end, this means there’s no string of numbers to enter, nor do you have to swap to a third party authentication app or carrier. You just use the Twitter client itself. It means that the system isn’t vulnerable to a compromised SMS delivery channel, and moreover, it’s easy.

Posted on August 8, 2013 at 12:20 PM • 27 Comments

Comments

Diogo FernandesAugust 8, 2013 12:39 PM

They said here they rolled out this new system so as not to keep secrets on their servers

if ever an attacker could read the data on our servers, he/she won’t be able to generate one.

However, if an attacker is able to write data on their servers in case of the backup scheme, he/she can change the 10.000 times hashed secret to something controlled by him/her. Doesn't this contradicts what they posed above?

Petréa MitchellAugust 8, 2013 1:05 PM

There's another way to log in if you don't have (or lose) your phone-- but how do you register a new phone? And how do you keep someone else from convincing Twitter that a phone in their possession is your new one?

CurbyAugust 8, 2013 1:10 PM

@Chris: It actually sounds a lot like a Twitter-specific Duo Security setup, where the authenticator app talks directly to the server. There's still the second channel of communication, unlike vanilla ssh.

CalsattackAugust 8, 2013 1:24 PM

This just means we will see more mobile malware targeting Twitter to collect these codes.

DennyAugust 8, 2013 1:37 PM

This means you have to use the Twitter client app - which is, to be put it politely, not very good.

I bet they won't be adding this feature-set to their API so that third-party clients can also facilitate it.

MarkHAugust 8, 2013 1:38 PM

Some Obvious Lines of Attack:

• Gaining physical custody of the phone -- temporarily is sufficient

• Remote-Hacking the phone's filesystem to read the private key

• Exploiting defects (if sufficiently severe) of the phone's random-number generation (though it's easy to design to server to prevent this)

• Subverting the "app" to send the encrypted response without the user's intentional authorization

BJPAugust 8, 2013 2:07 PM

@Denny

It only means you have to (at present) use the Twitter client app to authorize login attempts coming from other sources. So if you want to login over the web, you pick up your phone, open the official app and authorize the login, then go back to using it over the web. Similarly so for 3rd party app logins, switch over to the official client to authorize the login, then proceed.

Ross PattersonAugust 8, 2013 2:18 PM

Am I the only one who thinks phones wind up getting stolen more often than passwords?

secret policeAugust 8, 2013 2:53 PM

Twitter App has impressive security. Moxie Marlinspike and Charlie Miller both worked on it to pin TLS certs and this auth scheme. It's probably the only TLS I'd trust over Tor with so many malicious exit nodes

MartinAugust 8, 2013 3:18 PM

Two caveats:

1. Smartphones get more and more used as the second factor, however, more and more usage of the respective services is mobile too. So smartphones are often not a second factor. I often switch between Safari and the Google Auth app for example …

2. Twitter promotes its own app, another blow for third-party app – I probably wouldn't use Twitter if I had to use the official app.

Dirk PraetAugust 8, 2013 7:15 PM

Interesting security enhancement indeed.

Question: when logging in over VPN/Tor with a browser from a location unaware computer as to preserve privacy/anonimity, will the mobile app also transmit to the server its ip address ? In which case the phone would also need to be connected through VPN/Tor in order not to give away the users real ip address. What about other metadata like geolocation the mobile app may or may not transmit that could tie the anonymous login to a specific phone/location/person ?

Tracy ReedAugust 8, 2013 7:21 PM

I wish they would open source this so other applications can use it to and make it a standard (albeit defacto) sort of like how Google did with their Authenticator system which has a pam module and the iphone and android apps freely available under a FOSS license. Google Authenticator implements the OATH, RFC4226, and RFC6238 standards.

confusedAugust 8, 2013 9:03 PM

I dont see how this is any different than other two factor auth. Cept it does it automatically?

AlonAugust 8, 2013 9:36 PM

The main problem with this scheme is that users are stupid. Specifically, it is very easy to socially engineer a user to authorize whatever pop-up appears on their phone. In fact, if the attacker just tried it a few times, most users will eventually authorize it just so the pop-up goes away.

DinyarAugust 9, 2013 2:54 AM

The main problem from my point of view is that the convenience quickly turns into annoying searching for your backup codes when you don't have internet connectivity on your phone (e.g. in an internet cafe on holiday). While other solutions work even when the phone is offline this one seems to fail which probably would make many users turn it off (ironically in an environment in which they'd need that protection the most due to possible keyloggers etc.. )

Stuart.GAugust 9, 2013 5:12 AM

Last time I used the Twitter app, it required the phones GPS location to be turned on and be used when posting a tweet - and wouldn't allow you to tweet unless it was turned on. I removed that app immediately. I only tweet via SMS or the web interface.
SG

Stuart G.August 9, 2013 5:14 AM

The last time I used Twitter's app on my phone it required the phone's GPS to be able to be used and turned on - it wouldn't allow me to tweet unless it was able to use the phone's GPS. I removed that app immediately. I only tweet via SMS or the web site now.
SG

gfunkdaveAugust 9, 2013 8:22 AM

It's a really elegant solution - but I can't help but wonder why Twitter decided to spend all the man-hours reinventing the wheel when they could have just implemented something using Google/Microsoft Authenticator.

@Stuart G- Twitter for iOS has never required me to let it use GPS in order to tweet.

@Dinyar- How is this different from searching for codes elsewhere?

MeAugust 9, 2013 9:31 AM

Now all they need to do is secure the phone against malware.

"I used to have a problem with authentication security, so I used smart phones for a second factor. Now I have two problems with authentication security."

Don't get me wrong, this is still better than what they had before, but I am unsure how much I trust Twitter with access to my smartphone (then again, this lack of trust extended to all, is why I don't actually have a smartphone).

RajivAugust 11, 2013 9:24 PM

I have a activated this method and I accidentally signed out from my mobile app, and now I don't get the notifications.When I try to log in back, they're asking for a temporary code.But I can't generate a new code because I don't have any access to my account through PC.Also I used the backup code once to log in but when I typed it again, they say it's incorrect(which means outdated)
It would be very grateful if someone could help me with this.Thanks!

bobAugust 13, 2013 4:31 AM

@confused Yeah, I never understand why people get so excited about home theatre. I mean, it's just like going out to the cinema but staying at home.

Lachlan HuntAugust 13, 2013 5:21 AM

There are serious problems with the implementation of Twitter's scheme. While the security aspects of the scheme are really clever and they have some nice features, the ability for a user to recover in the event that something goes wrong is severely lacking.

The mobile app only provides one backup code at a time, and there is no other source of backup codes available. It's sensible to record multiple backup codes so you still have more if you use one, but the only way to do that is to very carefully copy them down one at a time and store them.

If you need to use a backup code because, for example, your mobile device has no internet connection and you use the most recent one that your device displays, then that renders every single one of your pre-recorded codes invalid and you have to go through the whole laborious process of recording more.

If you lose your device in the mean time, and you have no remaining valid backup codes, you're out of luck.

The problem here is that Twitter has, unfortunately, designed the system to use the same set of single-use codes for two use cases:

1. Lost device
2. Offline device

Compare this with the many other services including Google, Microsoft, Facebook, etc. who are using TOTP (RFC 6238). This system always works regardless of your device connectivity. All that is needed is the secret key and the current time. Google also provides a completely independent set of backup codes, which I have recorded in a safe and secure location, but I have never had to use one.

The other fundamental problem with Twitter's system is that it completely hides the private key from the user. It is not possible for the user to store a copy of their private key or backup code seed, so if something happens to the device or the twitter application, the keys are irretrievable and cannot be used to re-initialise any other device or re-installed app. This happens if you uninstall the app from the device or even simply log out.

TOTP, on the other hand, allows the user to store the secret key if they choose to do so, either by saving the QR code or writing down the secret key. Personally, I keep a copy of the QR codes in a secure location, so I can set up any device running Google Authenticator, or other similar implementation when I need to.

KenSeptember 18, 2013 3:05 AM

This is what's wrong: I cannot log in. I reset my password, but then a message says, “Check your phone app.” But I don’t have the phone app installed. I install the phone app, which then says I need to create a temporary password on twitter.com, which I can’t log into. Twitter.com says I can enter a previously created “security” password. I enter the special password I created yesterday, but it doesn’t work. Lovely.

SonuNovember 27, 2013 12:06 AM

definitely just like your web page however, you have to use consumers punctuational with a number of you. Several of possibilities rife with punctuational complications and i also to locate it extremely annoying in truth however We'll definitely can come once again once again.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..