Twitter's Two-Factor Authentication System
Twitter just rolled out a pretty nice two-factor authentication system using your smart phone as the second factor:
The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.
When Twitter receives a new login request with a username and password, the server sends a challenge based on a 190-bit, 32 character random nonce, to the mobile app—along with a notification that gives the user the time, location, and browser information associated with the login request. The user can then opt to approve or deny this login request. If approved, the app replies to a challenge with its private key, relays that information back to the server. The server compares that challenge with a request ID, and if it authenticates, the user is automatically logged in.
On the user end, this means there’s no string of numbers to enter, nor do you have to swap to a third party authentication app or carrier. You just use the Twitter client itself. It means that the system isn’t vulnerable to a compromised SMS delivery channel, and moreover, it’s easy.
Diogo Fernandes • August 8, 2013 12:39 PM
They said here they rolled out this new system so as not to keep secrets on their servers
However, if an attacker is able to write data on their servers in case of the backup scheme, he/she can change the 10.000 times hashed secret to something controlled by him/her. Doesn’t this contradicts what they posed above?