Worth enabling if you want to keep your Twitter account secure.
Source: Official Twitter Blog / Twitter
Every day, a growing number of people log in to Twitter. Usually these login attempts come from the genuine account owners, but we occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the web.
Today we're introducing a new security feature to better protect your Twitter account: login verification.
This is a form of two-factor authentication. When you sign in to twitter.com, there’s a second check to make sure it’s really you. You’ll be asked to register a verified phone number and a confirmed email address.
Why on earth did Twitter not use the popular RFC 6238 standard? If they had, you would be able to use Google's Authenticator app.
Like Google's two-factor authentication, Twitter's login verification sends a code via SMS to be entered to confirm login. But unlike Google's system, the code will be sent every time users sign into Twitter through its website. This is the case even if it's from a computer or device that they've logged in from before. The phone has to be enrolled through Twitter's existing SMS service first—you have to text a code to Twitter to verify the phone first, which may not work with some phone carriers. The relationship between phones and accounts is also strictly one-to-one: if you have a shared business account, you're going to need to share a phone number too. If you have multiple accounts and only one phone number, then you can only secure a single account.
There are some additional limitations to Twitter's scheme. Other mobile devices and applications (such as HootSuite and TweetDeck) will have to be configured individually as they're added, using a temporary password generated through Twitter's applications page to be authorized on first login. Unlike the RFC 6238 scheme used by Google, Facebook, and Microsoft, there's no way to use standard, generic authentication apps to generate time-based, one-time passwords. So if you can't get the SMS, you're out of luck. And unlike those systems, there's no facility to create persistent application-specific passwords. (Source)
There are currently 1 users browsing this thread. (0 members and 1 guests)