Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yet another reason why Twitter needs two-factor authentication.

  The tweet, which said that there had been two explosions at the
  White House and President Barack Obama was injured, came
  after hackers made repeated attempts to steal the passwords of
  AP journalists.
https://www.facebook.com/APNews/posts/10151407898286623


...or maybe we should not be relying on Twitter when we make financial decisions?


If people with large pockets are dedicated enough to monitor Twitter, it must probably have proven efficient enough to justify doing it. I don't expect them to stop doing so until the fake tweets situation goes very big. And I'm sure Twitter will react with stronger authentication before it gets that bad.


This really is the right idea but it's unlikely that we're gonna get people to change how they take in their news and how they will react to it.


Twitter were hiring engineers with this specific knowledge a long while ago. It must really be tricky for them to make it work, somehow.


So called "two-factor" authentication on the internet pretty much means entering two different passwords. I've never seen anyone attempt anything more complicated than making people remember what ultimately amounts to yet another password. Certainly not on a free website.

But even financial websites pretty much provide a dumb questionnaire list with challenges like "what was your first dog's favorite color?" to which you can choose any kind of text string as a response ("bark" for example).

Does anyone honestly believe that these things provide additional security? It's like the TSA frisky-crotch-grope of authentication.


> Does anyone honestly believe that these [two-factor auth] things provide additional security? It's like the TSA frisky-crotch-grope of authentication.

Yes. Especially as time-based passwords, a-la an RSA token or Google's two-factor auth, since they require something you know (your password) and something you have (the token). They expire and regenerate every minute or so, can't really be remembered or predicted, require access to a physical device that displays the password, and near impossible to predict without information about the seed.


I personally don't care about it all that much, since I hold about zero affluence and clout on Twitter, but it's a stupid hassle to stay on top of for celebrities and the people managing brands and politicians.

I am a security zealot, and even I can't be bothered to have unique passwords on some - unimportant - websites.

It is so easy to set up for a user, and I might as well just have it, if it means all my sites are represented in Google's TFA app on my phone. It's no hassle to use at all, as long as the sessions last for a few weeks.


It's not just two different passwords, it's one password that you know and another password sent to some physical device (usually a mobile) that you must be in possession of


What you're describing is not two-factor auth, it's more like a recovery question.

Two-factor auth involves entering a temporary code along with your password. The temporary code comes via SMS or a special mobile phone app. Google, Facebook, and Dropbox are examples of free websites that offer this.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: