Twitter simplifies secure sign-in with in-app approval on iOS and Android

No more typing codes, lets tablets join secure sign-in fun

Twitter today simplified account security with an enhancement that lets customers approve two-factor authenticated log-ins from inside their iOS and Android mobile apps.

The move was reminiscent of Apple's earlier this year when it introduced two-factor authentication for customers' Apple IDs.

"Good stuff from Twitter," said Andrew Storms, senior director of development and operations at San Francisco-based CloudPassage, in an interview via instant message. "I like how they took it a step further, despite being slow to implement the initial two-factor compared to other big vendors."

Storms' "step further" was a reference to the in-app authentication Twitter introduced Tuesday. In May, the micro-blogging service rolled out a standard form of two-factor log-in that relied on text messages.

Two-factor authentication -- sometimes called two-step verification -- is a more demanding method of locking an account than a password-only process. In enterprises, for instance, two-factor uses hardware tokens that generate passcodes, which are valid for just moments and must be entered along with the usual password.

But Web services don't distribute tokens. Instead, they typically send a passcode to a mobile phone number the account owner has registered earlier. The passcode is usually sent as an SMS (short message service) text.

Starting today, Twitter users with the service's official Android or iOS apps on their smartphones or tablets will be able to approve the log-in without entering a string of numbers or having access to SMS. The latter is a big boon for people who rely on tablets.

"Not needing SMS means even users with tablets or those without phones can use two-factor, [people with an] iPod Touch, for example," said Storms. "I have to give Twitter the tip of the hat by taking this beyond SMS."

Apple's two-factor authentication, which rolled out in March, also offers non-SMS authentication, pushing the passcode to an iPhone or iPad via the Find My iPhone app's notification feature.

Unlike Twitter's improved two-step authentication, however, Apple's still requires users to enter a passcode.

Twitter also mimicked Apple in the use of a backup code, which is generated when users register for the optional two-factor authentication. The backup code can be used to access an account if the device with the Twitter app is stolen, lost or simply not within reach when logging onto the service's website from a desktop or notebook browser.

The San Francisco, Calif. company also warned users that some third-party apps may stumble with two-factor authentication engaged; Twitter's own TweetDeck on Windows and OS X is in the same boat. To log into those apps, users must generate a temporary password.

Twitter joined several other major technology companies, including Apple, LinkedIn and Microsoft, that rolled out two-factor authentication this year. Facebook and Google have offered secure log-ins since 2011.

After Twitter was hacked in February, it asked a quarter-million of its customers to reset passwords. Calls for Twitter to implement two-factor authentication got louder after that.

Future breaches won't give hackers anything to work with, at least for those who have opted to switch on two-step authentication, Twitter said today. "We chose a design that is resilient to a compromise of the server-side data's confidentiality: Twitter doesn't persistently store secrets, and the private key material needed for approving login requests never leaves your phone," said Alex Smolen, a Twitter security engineer, in a post to the company's blog.

Twitter has posted more information about the new in-app authentication that includes instructions on how to set up the feature.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

Join the PC World newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesAppletwitterinternetsocial mediaMalware and Vulnerabilities

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?