TOTP in Twitter?

XIIIXIII
edited February 2017 in Lounge

All of a sudden I see a button "Setup a code generator App" with the description "Use an authenticator app to generate a time-based passcode that can be used to access your account." in my Twitter account settings. I have tried that; it seems to be a regular TOTP based one time password that can be stored in 1Password (1Password parses Twitter's QR code and Twitter accepts the code generated by 1Password in the setup page). However, when I log out and try to log in again I still have to wait for a push notification to the Twitter app in which I need to approve access my account.

There is some documentation on Twitters Help Center, but that's apparently not good enough for me... :(

Did anyone find out how to get this TOTP working instead of the old Twitter proprietary solution? If so, please share!

Comments

  • brentybrenty

    Team Member
    edited February 2017

    @XIII: I can't find any reference to this i nay own account (only that awful SMS), so I wonder if it's something they're rolling out a bit at a time. I know they like to do that with features. Annoyingly, Google wasn't much help either, as the first result for "twitter TOTP setup" is...this discussion. Maybe someone else who has access to this option can chime in with some details. I'd love to get this working myself!

  • A search on Twitter reveals that several people have this option in their Twitter profile (for a couple of weeks now), but no explanation on how it works. I saw one tweet that says that TOTP is only a "backup" for SMS on Twitter... (I don't get any SMS; I get push notifications in their iOS App)

  • Looks like this feature is actually already available for 2 months:

    However, none of the tech sites I visit seem to have reported about this... (so no simple how-to?)

  • BenBen AWS Team

    Team Member

    Hmm... So I just tried to set this up. I was able to get 1Password to generate their TOTP codes (no surprise there), but I see no way to specify that as the only/primary MFA method. SMS seems to be the default, with no way of changing that. If you find a way, please let me know, as I'd like to do the same for myself. :)

    Ben

  • So this is "working" for me in that the TOTP code works as an alternate to the SMS code on login once it's set up (and their login page seems to mention this properly now). But it still sends me an SMS, which is stupid. I set up TOTP so I don't have to get a text message all the time. Fortunately I use TweetBot on iOS almost exclusively so I don't have to deal with the Twitter website regularly, but it's still dumb :-)

  • brentybrenty

    Team Member

    So this is "working" for me in that the TOTP code works as an alternate to the SMS code on login once it's set up (and their login page seems to mention this properly now). But it still sends me an SMS, which is stupid.

    @dszp: I'd also like to add "insecure". :tongue:

    I set up TOTP so I don't have to get a text message all the time. Fortunately I use TweetBot on iOS almost exclusively so I don't have to deal with the Twitter website regularly, but it's still dumb :-)

    Yeah that's really weird. I was excited about this, but I think I'm going to hold off until they (hopefully) iron out the kinks. Being outside of my "service area" and not wanting to pay exorbitant fees for "roaming", I can't actually get SMS currently...and I'm not confident that someone else won't get them in my absence. :lol:

  • @brenty I won't argue the "insecure" part of SMS for OTPs, but I will point out that using them vs. not using any OTP/2FA system is still a huge risk reduction. Ability of an attacker to intercept SMS is still a tremendously small percentage of attacks and a much higher bar, regardless of technical ease :-) There are those with risk but it's not the average person. The average person is probably more likely to have malware that intercepts you typing the code and the resulting session directly on your computer than have their SMS code intercepted. If you're a public figure that risk profile changes of course...

  • brentybrenty

    Team Member
    edited March 2017

    @dszp: With 2FA of any kind, probably a more easily exploited weakness is cloning. Jamie had some good points on this topic as well. Certainly you're right that interception is, perhaps, unlikely, but that too goes back to security through obscurity, and isn't something we want to rely on given we're responsible for ensuring that 1Password users' data is secure right up until the point where the database and Master Password (and Account Key) are in the possession of the attacker. And it's important to note that 2FA doesn't protect against this final scenario either. We really have to design a 1Password that is secure for everyone, regardless of their risk profile, rather than saying "by the way, if you're a public figure, this might not be a good option for you." I know that's not what you're suggesting, but it's something we have to take into account.

    I agree that 2FA can provide benefits, but can also be a significant point of weakness, as in most cases the user needs an escape hatch in case they lose the secret or can't connect, in the form of resets or offline codes. There's a more "hardline" approach that can be adopted of course, but along with the security benefits, the risk that the user will get locked out of their own data is much higher. The ultimate security of course is destroying the key, but at that point security isn't benefitting the user either.

  • @brenty good points, but I'm talking about Twitter's decision to leave SMS on regardless of the status of TOTP codes setup. Just saying having SMS 2FA is better than nothing at all, even if it's defeatable more easily than keyed TOTP. Twitter should turn off SMS once TOTP is set up, like pretty much all others do, but it's "better than nothing" until they get their act together (and they only supported SMS previously!). I have no issues with the 1Password implementation :-)

  • brentybrenty

    Team Member

    @dszp: You're right. And I think that in the case of something relatively low-sensitivity like a Twitter account (as opposed to email or 1Password), that seems like a reasonable compromise. I really hope that Twitter gets this streamlined a bit! :lol:

  • BenBen AWS Team

    Team Member

    I have to disagree with Twitter being low sensitivity. A number of websites allow Twitter as an SSO option now, and even places like Keybase use it as a form of identity verification. So someone getting ahold of your Twitter account could potentially be very damaging, beyond even the obvious consequences.

    Ben

  • brentybrenty

    Team Member

    @Ben: Thanks. That's a good point. I should have said that it's low sensitivity for me since I don't generally use SSO for sites. But it was foolish of me to apply my own use universally.

  • BenBen AWS Team

    Team Member
    edited March 2017

    :+1: :)

    Ben

This discussion has been closed.