Twitter lets users enable two-factor authentication without linking a phone number

0
76
Twitter has updated its security settings, allowing users to enable two-factor authentication without linking their phone numbers


Twitter users will no longer have to link their accounts to a phone to prove who they are after hackers stole CEO Jack Dorsey’s number to access his account and posted racist and offensive tweets

  • Twitter updated its security settings to change its two-factor authentication
  • Users no long need to link their phone number in order to log into their account
  • They can now use authentication apps or security keys to login instead

Twitter has updated its security settings, allowing users to enable two-factor authentication without linking their phone numbers.

The social media site will now let members use authentication apps or security keys in order to save them from falling victim to SIM swapping – a scam that lets cyberthieves infiltrate smartphones.

The update comes a few months after hackers gained access to Twitter CEO Jack Dorsey’s account by stealing his mobile phone number.

Twitter rolled out two-factor authentication in 2013, following a number of high-profile hacks.

The security feature sends users a six-digit code via text each time they log in to check they are in fact who they claim to be.

However, it has become clear that SMS is much more vulnerable that initially believed, so relying on this as a security feature can actually leave a window open for hackers – and Twitter realizes this now.

Scroll down for video 

Twitter has updated its security settings, allowing users to enable two-factor authentication without linking their phone numbers

Users will no longer be required to handover their phone numbers in order to login to their account.

Instead, they can use security keys, which is a physical device that looks like a USB thumb drive, or a web authentication standard (WebAuthn) approved by the World Wide Web Consortium.

This technology allows servers to register and authenticate users using public key cryptography instead of a password. It allows servers to integrate with the strong authenticators now built into devices, like Windows Hello or Apple’s Touch ID. 

Instead of a password, a private-public keypair (known as a credential) is created for a website. 

The social media site will now let members use authentication apps or security keys in order to save them from falling victim to SIM swapping – a scam that lets cyberthieves infiltrate smartphones

The social media site will now let members use authentication apps or security keys in order to save them from falling victim to SIM swapping – a scam that lets cyberthieves infiltrate smartphones

The change comes about two months after Twitter CEO Jack Dorsey had his own account hacked. On August 30th, a series of offensive tweets and retweets were blitzed across Twitter and remained on the CEO's page for roughly 15 minutes

The change comes about two months after Twitter CEO Jack Dorsey had his own account hacked. On August 30th, a series of offensive tweets and retweets were blitzed across Twitter and remained on the CEO’s page for roughly 15 minutes

Brian Wong, a software engineer at Twitter, said: ‘From our 2FA options, security keys stand out as one of the strongest due to their low friction and phishing resistant capabilities.’

‘The WebAuthn API allows for strong browser-to-hardware-based authentication using devices such as security keys, mobile phones (NFC, BLE), and other built-in authenticators such as TouchId.

‘The underlying operations of the WebAuthn standard authenticate users by exchanging user credentials using public key cryptography.’

The change comes about two months after Twitter CEO Jack Dorsey had his own account hacked.

On August 30th, a series of offensive tweets and retweets were blitzed across Twitter and remained on the CEO’s page for roughly 15 minutes.

Tweets from Dorsey’s account during the time span included repeated usage of the word ‘n****r’ along with the occasional use of ‘b***h’.

Tweets from Dorsey's account during the time span included repeated usage of the word 'n****r' along with the occasional use of 'b***h'

Tweets from Dorsey’s account during the time span included repeated usage of the word ‘n****r’ along with the occasional use of ‘b***h’

There were numerous tweets that gave shoutouts to a variety of people but didn't tag any accounts

There were numerous tweets that gave shoutouts to a variety of people but didn’t tag any accounts

Twitter Communications tweeted that they were investigating what happened with Dorsey's 'compromised' account, but security experts suggest it was a SIM swapping hack

Twitter Communications tweeted that they were investigating what happened with Dorsey’s ‘compromised’ account, but security experts suggest it was a SIM swapping hack

An additional tweet also claimed that if people did not follow one specific account, then the Twitter HQ was ‘blowing up.’

Included in the retweets was a comment referring to James Charles’ ‘booty’ and another claiming that ‘nazi germany did nothing wrong.’

‘Unsuspend my s**t @plugwalkjoe/@percocet/@99 u bald skeleton head tramp,’ the suspected hacker said in the last tweet before Jack reclaimed his account.

The tweets and retweets were soon deleted off of Dorsey’s account and all the accounts that had been retweeted had their account suspended.

Twitter Communications tweeted that they were investigating what happened with Dorsey’s account.

Although Twitter has not confirmed, security experts believe it was a SIM swap hack, which a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.

 

Advertisement



Source link