Regular readers of this column will be familiar with my statements on the importance of using two-factor authentication for social media properties like Facebook. You also are likely familiar with the recent Burger King Twitter hack in February where I said that Twitter lacks two-factor authentication and advised some steps you can take to better protect your Twitter handle until Twitter two-factor authentication is available.
Today, I’m happy to write that Twitter Two-Factor Authentication is (finally) available. So today I’ll briefly advise you on what to do with this and help you understand some of the ramifications.
The advice on what to do is simple: enable two-factor authentication today. Enabling this is a relatively straightforward process.
First, you have to register a mobile phone number with Twitter. You will do this (and your other actions to enable two-factor authentication) by choosing the “gear” icon in the upper right and selecting “Settings”.
Once you’re in the Settings for your account, you’ll click “Mobile” on the left-hand menu and enter a textable mobile phone number
and hit “Activate Phone”. You will then be instructed to send a text to Twitter to verify this number.
Once verified you can then click “Account” on the left-hand menu and scroll until you see the “Account Security” check box.
Check to select “Require a verification code when I sign in”. You will then receive a confirmation on the phone you registered. Enter that code and your password.
At this point, you’re done and have enabled two-factor authentication for Twitter.
What does this mean?
One of the reasons companies like Twitter have been slow to offer this is their concern that this will be too hard to use. It’s a fair concern but if you understand what this means in practical terms, you can be ready to use this successfully.
First, any time you login to Twitter from a new device or system, you’ll be prompted for a code that will be sent to the phone that you registered.
All you need to do is enter the code you receive on your registered phone and Twitter will function like you’re used to. If you’re using a tool like HootSuite, you’ll find that you have to enter your code when you authorize that application to use your Twitter account.
The biggest criticism/complaint is that there’s a one-to-one relationship between Twitter handles and phones. With Facebook pages there’s no single password and so no single phone associated with the page: each user who is an administrator for a page has their own account, their own password, and so can use their own phone. With Twitter, at least for now, if you have multiple people managing a handle you’re going to have to pick one phone and use it for everyone. No, this isn’t good security. But, compared to what we had prior to this with Twitter, it’s something we can make do with for now.
Another thing you need to be mindful of is once enabled, you must be able to get text messages to your phone to use Twitter. If you take the phone associated with this account somewhere where you can’t get text messages, you may find yourself locked out of your account.
Compared so Google’s implementation of Two-Factor authentication, Twitter’s is definitely very rough around the edges. Quite honestly as someone in the tech world, it feels very rushed to me. But Twitter hijackings have become enough of an issue and the hassle factor with their implementation is generally low enough that I really do strongly recommend everyone managing Twitter go ahead and implement two-factor authentication as soon as possible. Look at it this way: for all the hassles and downfalls associated with it today, it’s only going to get better with time.