Optus and Vodafone customers need not apply when it comes to Twitter's two-factor authentication.
It seems that trusty old logins and passwords simply aren't enough to keep us safe online these days. A spate of high-profile account hackings has accelerated the rollout of "two-factor authentication" by many service providers, adding an extra layer of security to your online accounts.
Two-factor authentication relies on something you know (your password) and something you have. In this case the something you have is your phone, to which Twitter texts a six-digit code. You need to enter your password and the code when logging into twitter.com. Unfortunately Twitter still doesn't have a connection to some Australian telcos, plus the advanced features aren't as extensive as the two-factor authentication options from the likes of Google.
There are other Twitter security features you should consider when looking at two-factor authentication. The first is "Require personal information to reset my password", which makes it a little harder for someone to hijack your account. You'll find it on the Account tab of your Settings page. Once you enable it, when you request a password reset you'll also be asked for your email address or mobile number.
Of course that's not much protection if you've associated your public email address with your Twitter account, but it could offer an extra layer of protection if you've associated your account with another email address or alias which no-one else knows about. Using aliases is a useful trick for protecting your online accounts. Hackers won't have much luck breaking into your accounts if they're trying to use your public email address -- for example email@example.com -- but the account is associated with an alias such as firstname.lastname@example.org or email@example.com.
Back in the Twitter settings, you might want to click on the Mobile tab and add your mobile number. You're given the option to add a Telstra, Vodafone or Optus number, but if you try the last two you're told "Sorry, we don't have a connection to your carrier yet!". That's pretty poor form considering Twitter struck a deal with Telstra almost four years ago. I tried pretending a Vodafone number was a Telstra number but had no luck. Even if you are a Telstra customer, you can't associate the same mobile phone number with more than one Twitter account. That's pretty frustrating if you're trying to manage several Twitter accounts, and it's not a restriction you run into when setting up Google two-factor authentication.
Once you've associated your Telstra mobile phone number with your Twitter account, a password reset will require you to enter your mobile number rather than your email address. Depending on how you share your contact details, hackers might be less likely to know your mobile number than your email address. Of course with an email address you can use a secret alias, which is much harder to do with a mobile phone number, and it would be good if Twitter let you choose which method you want to use for a password reset.
With your phone number registered it's time to look at two-factor authentication. Like I said, non-Telstra customers need not apply. Other services like Google offer alternatives like smartphone apps and one-time printed codes to save the day when you don't have network access for two-factor authentication. Twitter's two-factor authentication simply isn't that sophisticated -- which is disappointing because Twitter accounts seem to be key targets for hackers.
To test it for yourself, scroll down the Account tab and you'll find "Account security: Require a verification code when I log in". You won't be able to tick the box unless you've associated a mobile phone number. Tick the box and Twitter sends a text message to your phone which reads; "Twitter can send verification codes to this device!" If you receive the text message, go back to the browser and click Yes. If you don't, you won't be able to use Twitter's two-factor authentication tools.
Another key limitation of Twitter's two-factor authentication system is that it only works with twitter.com. Third-party Twitter clients and other social media services access Twitter via a different authentication system, only requiring your login and password. Once again this falls short of Google, which applies its two-factor protection across the board and lets you generate unique passwords for services which don't play nicely with two-factor authentication.
The fact you're limited to SMS probably makes Twitter two-factor authentication impractical for large organisations which grant multiple staff access to Twitter accounts. Another frustration is that you can't tell Twitter to remember your browser, so you need to punch in a new code every time you login to twitter.com (which admittedly probably isn't that often if you generally use third-party Twitter clients).
All up Twitter's efforts are pretty underwhelming when compared to what other online services are doing. It's still early days and they might improve with time, but for now Twitter's two-factor authentication tools really feel like a token effort. Do they work for you?