Twitter entered the two-factor authentication (2FA) game earlier this year when they released the de-facto implementation, time based OTP over SMS. It has been working fine even though it had its shortcomings, including the inability to view app passwords created for apps without support for 2FA. Not to mention the lack of carrier support for most operators in Sweden.
Twitter have just superseded their recently implemented 2FA with a new scheme called “login verification”, which uses your mobile Twitter client as an authentication token, which means that they no longer have to rely on carriers to support their service.
The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.
When Twitter receives a new login request with a username and password, the server sends a challenge based on a 190-bit, 32 character random nonce, to the mobile app – along with a notification that gives the user the time, location, and browser information associated with the login request. The user can then opt to approve or deny this login request. If approved, the app replies to a challenge with its private key, relays that information back to the server. The server compares that challenge with a request ID, and if it authenticates, the user is automatically logged in.
A very creative solution to the problem, and since the approval is completely out of band with the authentication, clients do not even need to be aware of the secondary authentication procedure.
The downside is naturally that your phone is ever more important to keep track of, even though they seem to have support on standby in case you lose access to your phone.
Facebook uses a similar strategy in case you have enabled login verification for your account, but instead of relying on RSA cryptography, any logged in client may approve a new computer. The upside compared to the Twitter solution is that the approvals are not locked to one particular device, and the downside is the exact opposite – any logged in client may approve a new client.
When enabling login verifications, you are presented with a backup code, which can be used to access your account in case you lost your phone. I make it a habit of always writing the recovery codes into the current site’s entry in 1Password. That way, you can use any computer with 1Password installed to retrieve it when needed.