Twitter has unveiled a new login verification feature that largely replaces the two-factor authentication system it rolled out in May to prevent a rash of password phishing attacks hitting its users.
The new system relies on strong encryption to provide iOS and Android smartphone users with an end-to-end solution that's not vulnerable to compromised SMS delivery channels. Unlike the current system, it also does away with the use of a "shared secret" between end users and Twitter, since the secrets are often just as vulnerable as passwords to phishing and other types of attacks. The cryptographic key used to approve login requests stays on a user's phone and is managed by the Twitter app itself. In addition to being more resistant to attack, the system is easier to use, company officials said.
"Now you can enroll in login verification and approve login requests right from the Twitter app on iOS and Android," Twitter security engineer Alex Smolen wrote in a blog post published Tuesday. "Simply tap a button on your phone and you're good to go. This means you don't have to wait for a text message and then type in the code each time you sign in on twitter.com."