Such a system will drastically reduce the risk of Twitter users having their accounts hacked, something that has been experienced by everyday users and major companies such as the Associated Press, the BBC and 60 Minutes.
Two-step (also known as two-factor or multifactor) authentication can prevent a hacker from gaining access to an account far more effectively than a password alone. When logging in from a new location, it requires users to enter a password and a randomly generated code sent to a device, typically via a text message or smartphone application. In other words, accessing an account requires having two things: something you know (the password) and something you have (a previously registered device).
Twitter posted a job listing for software engineers in February to build such a solution.
The need for such protection was underscored yet again today, when the Associated Press had its Twitter feed hacked. The hacker sent a bogus announcement of an explosion in the White House that injured President Obama. According to the AP, this likely happened via a phishing attack in which a user was tricked into handing over a password. Two-step verification would have prevented that.
While it is unclear exactly how or when Twitter will roll out two-factor, the recent spate of high-profile account hackings likely added a sense of urgency to getting something out the door. It would be very surprising if the company doesn’t have something out the door within the coming weeks — at least in beta testing mode for highly visible organizations like the AP, The New York Times, and Justin Bieber.
That might mean launching with an SMS only solution, but even that would be better than the current system that relies on passwords alone. One interesting wrinkle with two-step and Twitter is that many of the accounts most prone to hacking have multiple, sometimes very many, users who use a variety of applications. Which means that any solution is likely going to have to support multiple devices, and multiple apps…
Read More: wired.com