Twitter announced today that it is rolling out “login verification,” a.k.a. two-factor authentication. It’s a password-security measure that people have been clamoring for, especially given the recent wave of Twitter-account hijackings by the Syrian Electronic Army.
That’s bad news for celebrities who want plausible deniability when they tweet embarrassing things. But it’s good news for the average user, because it means that your Twitter account should be safe even if someone manages to steal your password. Once you’ve turned on login verification, signing into Twitter will require not only your password but also a code that will be sent to your phone via text message. That means password thieves will be stymied, unless they’ve somehow gotten hold of your phone, too.
The system isn’t perfect, though. As TechCrunch’s Josh Constine points out, it doesn’t yet work with mobile apps. And for now Twitter allows only one phone number per account, which is inconvenient for big organizations that need to give multiple employees access to their Twitter feeds. Finally, as my colleague Farhad Manjoo noted, you have to have a working cellphone signal in order to receive the text message, which is not the case with more advanced services like Google Authenticator.
So why doesn’t Twitter just use Google Authenticator instead? “We wanted to build this as part of the Twitter architecture,” spokesman Jim Prosser told me, because the engineering work that Twitter put into the login-verification feature will allow it to add more security measures in the future.
Login verification is being rolled out to Twitter users throughout the day. To turn it on, visit your account settings page and check the box that says, “Require a verification code when I sign in.” If you need help, consult the video below.
Then do yourself a favor and enable two-factor authentication for your email and Facebook accounts, too. PCWorld has a good primer on how to do that for the most popular services.
One last note: It's always prudent make these types of account changes by visiting the relevant website directly from within your browser, not by clicking a link in an email. Scammers are often quick to capitalize on security news like this by sending out bogus messages telling people to “click here” in order to change their password. Don’t do it, or you might end up like The Onion.