Replacing SMS, new Twitter system uses strong crypto from iOS or Android app.
by Dan Goodin
Twitter has unveiled a new login verification feature that largely replaces the two-factor authentication system it rolled out in May to prevent a rash of password phishing attacks hitting its users.
The new system relies on strong encryption to provide iOS and Android smartphone users with an end-to-end solution that’s not vulnerable to compromised SMS delivery channels. Unlike the current system, it also does away with the use of a “shared secret” between end users and Twitter, since the secrets are often just as vulnerable as passwords to phishing and other types of attacks. The cryptographic key used to approve login requests stays on a user’s phone and is managed by the Twitter app itself. In addition to being more resistant to attack, the system is easier to use, company officials said.
“Now you can enroll in login verification and approve login requests right from the Twitter app on iOS and Android,” Twitter security engineer Alex Smolen wrote in a blog post published Tuesday. “Simply tap a button on your phone and you’re good to go. This means you don’t have to wait for a text message and then type in the code each time you sign in on twitter.com.”
Additional details are available here. Twitter has also devised an alternative method that involves using a stored backup code for verifying logins when users don’t have access to their phones.
The new service comes amid criticism that the current two-factor authentication system did little to prevent the kinds of phishing attacks that have plagued Burger King, the Associated Press, and a large number of other prominent Twitter users. That’s because the same spoof pages that instruct users to enter their usernames and passwords can often be modified to ask for the one-time verification code that’s sent as a text message. In extreme cases, account hijackers have also been able to bypass two-factor authentication by first taking control of the phone number that receives the one-time PIN code.
The new Twitter system relies on a 2048-bit RSA key pair, with the private portion stored on the phone and the public key being sent to Twitter. Twitter then uses the public key as part of the “user object” to ensure the cryptographic secret behind the verification is never exposed in clear text.
“Whenever you initiate a login request by sending your username and password, Twitter will generate a challenge and request ID—each of which is a 190-bit (32 alphanumerics) random nonce—and store them in memcached,” Smolen explained. “The request ID nonce is returned to the browser or client attempting to authenticate, and then a push notification is sent to your phone, letting you know you have a login verification request.”
The Twitter smartphone app alerts the user of the login request and includes key details such as the time, geographical location, and browser used, as well as the challenge nonce of the request. The smartphone user then either approves or denies the request. An approval results in the device using the private key to sign the challenge. Logins will only proceed if the cryptographic signature in the approval matches the user profile.
For those who don’t have their phone handy, there’s a way to sign in using a backup code that the user stores in a safe place. The code is generated by an algorithm known as S/KEY. The phone stores a 64-bit random seed that is cryptographically hashed 10,000 times and converted into a 12-character string that’s sent to Twitter servers. After it’s used, the phone then instructs the user to write down a new backup code, which is the same seed hashed 9,999 times. The process repeats itself again the next time with the seed being hashed 9,998 times.
“This means that you don’t have to be connected to Twitter to generate a valid backup code,” Smolen explained. “And due to the one-way property of the hash algorithm, if ever an attacker could read the data on our servers, he/she won’t be able to generate one.”
In theory, the system might also be resistant to the type of security breach Twitter suffered in February that exposed cryptographically hashed login credentials for 250,000 users. Even if the attackers succeed in cracking the hashes, they wouldn’t be able to retrieve the login-verification secret.
Twitter clients that don’t support the XAuth authentication process will be required to navigate to twitter.com and generate a temporary password from the passwords settings menu. The temporary password can be used in place of the regular password to sign in over XAuth.
The scope and sophistication of the new login verification process sounds impressive and gives a strong indication that Twitter engineers have devoted plenty of time and thought to creating a system that’s both secure and easy to use.
“It’s a good move to free them from the SMS side of things,” said Bruce Marshall, founder of Passwordreserch.com. “They don’t have to worry about trojans on the phone or interception of the SMS message.”
Still, it will take time for outside cryptographers and researchers to test the system to make sure it’s not vulnerable to technical exploits or social-engineering attacks. For the time being, colored us impressed by what just may be the best two-factor authentication system available on a consumer website.