On April 15, 2013, the Associated Press’s Twitter account reported that President Obama had been injured in an explosion at the White House. Within seconds of the announcement, the Dow Jones Industrial Average plummeted more than 150 points. Fortunately, the President’s Press Secretary quickly confirmed that the President was unharmed and, soon after, the Associated Press announced that its Twitter account had been hacked. Although this was perhaps the most significant instance of a Twitter account being hacked, it was only one of many similar events—the Twitter accounts of the BBC, the CBS News programs “60 Minutes” and “48 Hours” and even Burger King have all been the victims of recent hacker attacks.
In late May 2013, possibly in response to calls by various news organizations and blogs to institute a more stringent authentication system, Twitter announced the launch of an optional two-factor authentication feature.
In a two-factor authentication system, accessing an account requires a second level of authentication in addition to the single level of authentication that a login system typically requires. Login systems with a single level of authentication ordinarily require a user to simply enter a username and password to log in. Two-factor authentication further requires a user to provide an extra set of credentials to log in, which could consist of anything from the individual’s fingerprint or voice print, to a physical ATM card or a code provided by telephone. With Twitter’s two-factor authentication system, as a second layer of authentication, a user is required to enter a verification code that is sent to the user’s mobile phone. Therefore, in order to hack into a Twitter user’s account that has enabled two-factor authentication, a hacker would not only need to know the user’s username and password, but also would need access to the user’s mobile phone (or some other means of accessing the user’s mobile phone messages) in order to obtain the verification code.
For users who wish to enable this additional level of security, Twitter has provided a helpful walkthrough of the activation process. To activate two-factor authentication, a user can visit his or her account settings page, scroll down to the “Account Security” section, and select the box that reads, “Require a verification code when I sign in.” Twitter has provided the following image to help users easily locate this option:
After selecting this option, a user will be prompted to enter his or her phone number, after which Twitter will send the user’s mobile phone a text message that includes a one-time, six-digit verification code. Assuming the user receives that text, he or she would need to return to Twitter, click “yes” in the “Did you receive our message?” window, and enter the code from Twitter’s text message.
From that point forward, each time the user attempts to log in to the Twitter site, a new six-digit code will be sent to the user’s phone, to be entered in the following window:
Twitter’s decision to implement two-factor authentication is a welcome step towards greater account security in the digital world. And Twitter is hardly alone in shifting towards this system. Two-factor authentication is part of a broader trend toward heightened security that is currently being adopted by many similarly situated online service providers. Both Facebook and Google have provided their users with the option of turning on two-factor authentication since 2011, and there have been recent reports that Google may make two-factor authentication mandatory. Further, shortly after Twitter announced its implementation of two-factor authentication, LinkedIn announced that it also had introduced an optional two-step verification feature.
Twitter’s introduction of two-factor authentication following the hacking of the Associated Press’s Twitter account is just one example of how the social media world seeks to rapidly adapt to increasing threats to user security. Moreover, it clearly illustrates why companies with social media accounts should consider switching to two-factor authentication on platforms that offer it, to help mitigate the risks of potentially embarrassing or injurious online situations.