Is Twitter's Beefed-Up Authentication an Option for Banks?

Last month Twitter suffered a major embarrassment when hackers took over the handles of some major brands, including those of Burger King and the Associated Press. Now it's fighting back with an improved multifactor authentication strategy.

The system, which relies on a mix of in-app-generated codes and confirmations sent to a smartphone, could be one that banks might eventually want to imitate.

But not just yet, says Al Pascual, a senior security analyst at Javelin Strategy & Research.

"The fact that Twitter has a huge installed base makes this a really good" test, he says. "I'd watch and see what happens, and if it works out well — and trust me people are going to try and break it — that's great."

The method is interesting.

When prompted to reset a password, a user is forced to go through an exhaustive process to prove that she is the actual account holder.

From the desktop, she's required to choose a new password. Twitter then sends a text message to her smartphone containing a special code, which she types into her desktop computer. She's also required to log in to her Twitter mobile app, pick up a random 16-digit backup code, and plug that into the browser.

In the background, Twitter generates a private key on the user's smartphone that it then sends back to its servers.

In the future, whenever that user tries to log in, the protocol will generate a "challenge and request ID."

Twitter claims its method is more secure than other, more traditional multifactor structures.

"Traditional two-factor authentication protocols require a shared secret between the user and the service," the social media giant said in a blog post. "A weakness of these protocols is that the shared secret can be compromised if the server is compromised."

Twitter explained that it chose a design that's supposedly resilient to that kind of compromise because the "private key material needed for approving login requests never leaves" a user's mobile device.

There are barriers to banks' adoption of this manner of authentication. For one, the complexity of the system might inevitably confuse customers and either alienate them or drive up a bank's call-center costs.

"I think the presence of both cryptographic and SMS-based verification, enabled in two different ways, will cause confusion to some users," says CA Technologies' chief security architect Jim Reno, in a separate blog post. "In fact I was able to confuse Twitter's servers: at one point I had the server thinking it was using SMS-based verification while the phone thought it was using cryptography. The result was being blocked at the server until I disabled verification at the phone, as well as getting SMS messages containing long, cryptic strings, obviously intended for the app, not the human."

He writes, though, that over time this should evolve into a more streamlined approach. There is still the problem of unintended consequences.

"You are training users to go through severe security hoops so they might have an issue telling what's a genuine security case and what's malware," says Ken Baylor, a research vice president at the information security research and advisory company NSS Labs. "Imagine some malware got on your phone, or your laptop, and it said: 'I'm Twitter … give me your Social Security number and give me your mother's maiden name.' "

Regardless, banks are increasingly trying to move to a self-service model that Twitter's new authentication scheme could facilitate, says Robert E. Lee, security business partner at Intuit.

"It's a better user experience; and coupling knowledge challenge [and] possession challenge is stronger than knowledge challenges alone," he says. "You need to disable the SMS authentication before enabling the app-based authentication. My account was goofed up for an hour or so before I figured that out. That said, the Twitter example of two-way out-of-band and contextual details, sent in a signed or encrypted channel, is the way of the future. It's the logical replacement for one-time-passwords. OTP is dead."

Banks are already thinking about this, says Joe Sturonas, chief technology officer for the IT security company PKWARE.

"I was just talking to the head of infrastructure for one of the largest banks in the world, and he said the thing that keeps him up at right now is authentication, or lack thereof," he says. "I think authentication, and all that authentication implies, is huge right now."

Sturonas adds that people are under the mistaken impression that just because something is encrypted, it is secure.

"Pretty soon, any moron on the street will be able to encrypt, and just because you receive data that is encrypted, you don't know that the entity that sent it is actually the person you think it is," he says. "Encryption does not give a full security picture unless you can authenticate. Encryption is only half the security story, and it has to be paired with authentication."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER