Twitter reportedly is getting ready to roll out two-factor authentication in the coming weeks—a development that comes not a moment too soon as the company’s current security efforts fall short.
Take Tuesday, when the state of Twitter’s account security was on full display as hackers took over the Associated Press Twitter account and falsely reported two explosions at the White House. The AP attack came just a few days after Twitter accounts controlled by CBS News—including ones for 60 Minutes, 48 Hours, and a network affiliate station in Denver—were taken over.
The malicious attacks would have been harder, if not impossible, to pull off had these Twitter accounts been protected with two-factor authentication. Wired reports that feature will roll out to Twitter accounts gradually in the coming weeks.
Two-factor authentication requires you to enter two login tokens before you can access an online account. The first token is your standard password (something you know), while the second is a login code randomly generated by a smartphone app or sent via SMS or email (something you have).
Two-factor authentication is becoming a common security feature for many online services you already use including Dropbox, Facebook, Google, and Microsoft. It may be a little inconvenient to deal with two-factor authentication, but anyone who’s lost control of their Facebook or email account can tell you the extra security gain is worth the minor hassle.
Here’s a quick look at how two-factor authentication currently works for the major online services you use every day.
Google
The best account to start with if you’re new to two-factor authentication is Google, because you can use the Google Authenticator smartphone app to generate random access codes for many other services.
To set it up, visit Google’s two-step verification landing page and click the Get Started button on the top right-hand side of the window. Google will then guide you through the process for enabling two-factor authentication, which includes downloading and installing Google Authenticator for smartphone users.
The Google Authenticator app is available for Android, iOS, and BlackBerry 4.5-6.0 devices. If you don’t have a smartphone you can still use Google’s two-factor authentication by receiving access codes via SMS.
After Google’s two-factor authentication is enabled, you will have to reauthorize any other accounts and devices that access your Google account. Using Google Authenticator is pretty straightforward: You sign in to your Google account with your regular password and then you enter a randomly generated verification code created by Google Authenticator.
At sign-in, regular Google accounts can click a check box so that trusted PCs, such as your laptop at home, won’t require two-factor authentication every time you login. Google Apps users can authorize trusted devices for only 30 days at a time.
The problem with Google’s two-factor authentication is that some programs—smartphone email clients that access Gmail, for example—don’t work with it.
For these apps, you will have to use a randomly generated application-specific password instead of your regular password. These passwords bypass the need for two-factor authentication and can be revoked by you at any time. Application-specific passwords only have to be entered once per service and can be created by signing in to your Google account and clicking here.
Full Story: Online security: your two-factor authorization checklist | PCWorld.