The security of user data has long been one of the most pressing issues facing developers. This week, Twitter announced an update to their two-factor user authentication process put in place in May, highlighting the seriousness with which websites are taking user protection. So just how are these security enhancements going to stop hackers from stealing our celebrities’ most intimate pics?
Twitter’s security update comes after the social media site suffered a “sophisticated” password breach earlier this year. The attack reportedly exposed the cryptographically protected password data and login tokens of up to 250,000 users. In response, Twitter offered a more secure two-step authentication that relied on text messaging, but even that wasn’t enough to put the company at ease.
The main problem with the text message approach was the unreliability of wireless carriers. Some carriers don’t even support SMS verification, and there’s no guarantee that the ones that do use secure message delivery channels. Although this makes things a little more difficult for hackers, it’s very doable for those with the know-how.
The in-app approach alleviates this potential security breach by generating a private and public key only shared between Twitter and the user’s smartphone. As a matter of fact, the private key never leaves the user’s mobile device. Twitter only saves the public key in their authentication server, which does no good for hackers looking to encroach someone’s privacy.
The ramped-up approach may sound like a big undertaking, but it makes sense for a company that relies so heavily on the trust of its users. Just ask Sony, whose image took a serious scraping when a 2011 breach compromised much of its proprietary user info, leaving customers wondering exactly how it happened and how they’ll be affected. Though the breach wasn’t explicitly password related, the message stands: a progressive attitude is a valuable thing to have in the world of data security.
Not all two-factor authentication schemes are created equal. As Twitter’s overhaul shows, the factors don’t need to include conventional means such as phone numbers and email addresses to be effective. At the same time, questionable design decisions can undermine a company’s attempt at better security.
Apple’s newly implemented two-factor system took heat from two different angles earlier this year when mobile news writers discovered it didn’t apply to iCloud accounts and it displayed authentication codes on the lock screens of the very phones it was meant to protect. A creative hacker with access to the targeted user’s iPhone could ostensibly lock the victim out of his own account with little trouble. It’s a far-fetched scenario, but believable enough to put users on edge.
How do you want your users to prove they are who they say they are? What factors do you want them to use? Will the measures be optional or mandatory? What account features will they protect? These questions, and countless others, need heavy consideration when building or upgrading a multi-factored authentication system. Make no mistake about it, user data is that important, and as hard as it may be to keep that information secure, it’s even harder to muffle the rabble-rousers once your security has been compromised.
A little creativity can give a well-designed system multiple layers of value. Though they’ve yet to roll out all their planned features, Twitter’s recent changes focus on convenience and security. In the future, users will be able to employ third-party posting apps and other related software with the advanced first-party authentication features, giving them freedom to use their app of choice while keeping things as secure as possible.
Treating your users’ info with the utmost care shouldn’t be an afterthought. Doing things right from the start is a surefire way to earn the trust of the people using your software, and that’s a heck of a lot easier than winning them back after an embarrassing and dangerous blunder.