In light of Twitter’s recent decision to offer two-factor authentication, many have noted that phone-based authentication is impractical for enterprise twitter users, many of whom rely on multiple individuals to manage a single enterprise account. While a noble gesture, it is both impractical but also not as secure as many may think. So what should Twitter do? Why not look to a group of companies who have long had a need to authenticate their users before enabling transactions - banks.
Banks have been battling cybercriminals for decades. A constantly evolving network of bad actors continues to identify and exploit vulnerabilities to perpetrate fraud. Traditional prevention approaches are a necessary first line of defense but far from bullet proof. And so criminal organizations continue to make millions.
Just like with Twitter, the weakest link in online banking continues to be the customers. When banking losses happen, customers believe that regardless of their inability, or unwillingness to implement secure online banking practices, the bank will reimburse their account for the entire loss.
The FBI and the American Bankers Association (ABA) recommend designating a separate computer solely for online banking activities (i.e., no emailing or internet browsing) to prevent online fraud. Similarly, Twitter’s current solution dictates that just one person be responsible for managing a company’s social media account. Neither practice is convenient nor realistic.
When given the choice, users will routinely opt for the “path of least resistance” when conducting business online, be it banking or social media. The more complex the process, the less likely the customer will be to comply. Attempting to shift too much of the compliance burden to the end user will be met with resistance, and ultimately rejection. The last thing a company wants to do is make their online channel so unappealing to their customers that they leave in droves, or so that they let it wither due to neglect.
As Twitter matures their security strategy, there are a number of options to consider. For example, they might require that corporate account users access the site using a secure browser, as many banks already do. This approach isolates critical data that resides on a user’s device from hackers, and turns their computer into a dedicated machine for the purposes of interacting with the social media site. Such an approach is highly effective, and does not place an excessive compliance burden on the user.
Twitter may also choose to upgrade its multi-factor authentication, to not depend on a mobile device, but on a risk-based authentication process that includes challenge questions, or device authentication that captures and analyzes the electronic “fingerprint” associated with the user’s hardware. Many banks already do this today, so the process is already familiar to users.
In addition, Twitter currently gives unfettered access to an account once a user is authenticated. For enterprises, they may want to consider another level of security, such as transaction monitoring to detect unusual activity. Just as banks detect and place a hold on unusual withdrawals or transfers, Twitter could monitor for changes in posting frequency, post content and the destination of hyperlinks shared with followers to potentially alert on hacked accounts.
Twitter’s current form of multi-factor authentication provides just one layer of protection, one that many enterprises will reject. Over time, we would expect them to adopt a layered approach does not overburden the user, while significantly improving security. Banks have been doing this for years; Twitter and other social media platforms would be wise to follow their lead.