A discussion of the AP hack and two-factor authentication below the fold for those of you who aren’t interested.
The AP Twitter account was hacked yesterday and the hacker’s message (that the White House had been bombed and Obama injured) caused a momentary stock market panic. This caused Twitter to announce that they’ll support two-factor authentication. What’s that and why do you want it?
Two-factor authentication is based on a password plus something else – that something else could be a smartcard your computer scans, your fingerprint, or a code that you type in from a device that generates codes. For a mass market app like Twitter, it’s most likely that they’ll create a smartphone app that generates a number that Twitter will request whenever a new computer or new app is used to access their service.
I’ve been using Google’s two-factor auth for a few months on my “real” gmail account, and they’ve removed the PITA factor as much as possible for something that’s an inherent PITA. The Google “Authenticator” app that runs on my phone spits out a six digit number every minute. If Google senses that I’m on a different computer, it requests that six-digit number after I supply a valid password. Since you can log in to a lot of services with your Google password, and many of them don’t support two-factor auth, Google allows you to create special “application passwords” for each of those services.
Of course, your phone could lose charge or you might not have it with you. Google also lets you print out a sheet of one-time-use numbers that you can tuck in your wallet.
If Twitter had two-factor auth that functioned like Google, and if the AP were using two-factor auth, the person who hacked their account would not only have to guess their password, they’d also need to have a code that could only be produced by a smartphone app and that was valid for only a minute. This is a lot harder than just guessing a password.
The issue with Google, or Twitter’s or any other sites two-factor auth is that you’ll end up with a plethora of apps and codes to secure all your accounts. There’s an industry consortium called FIDO that’s working on a standard solution which could be shared by many different sites.
If you use Gmail for an account that manages your money, I’d take a serious look at two-factor auth. If you want some incentive, take a look at James Fallows’ account of his wife’s experience being hacked.