Not a tremendously compelling argument, and I think the company may come to regret the know-it-all tone of the post. Hubris is not what you want in a security platform company.<p>The author cites two "flaws":<p>1. Your phone is offline sometimes.<p>Twitter has a backup code mechanism that covers this case. They talk about it, right in the post.<p>2. An attacker can send verification requests that look exactly like yours.<p>The sole use case for this mechanism is to verify login attempts by the phone's owner in <i>real-time</i>. If a verification request comes in and you're not actually trying to log into Twitter, or if you see more than one, you know you're being attacked.<p>It's true if you share a login among multiple coworkers then you're vulnerable to being tricked. But that's a bad practice to begin with, and this 2-factor system is still a massive improvement in security even for that scenario.
Neither TOTP (Google Authenticator) or Twitter factor in how easy it is to malware/root Android phones these days. I still prefer Yubikey or other opensource cards until the state of mobile security improves (for ex SEAndroid).
My first experience with the new two-factor auth has been poor.<p>1. I sign into Twitter with my browser<p>2. My phone receives a push notification saying that I have a pending auth request.<p>3. So I click it and load the Twitter iOS app, and I see "You have no login requests" for that account, no matter how much I refresh it (it has been 10 minutes now).<p>4. Now I can't get into my Twitter account on the browser.<p>The urge to disable it is certainly strong..
Would one possible solution be to show a random word on the screen and add that as part of the authentication request? This would allow it to pair up with what you currently see on the screen and keep it simple enough where IP address or other technical details aren't required to be known.
I know Twitter did this (primarily) in response to the AP hacking, but I fail to see how this change is going to help organizations (say...news) with multiple people sharing an account for business purposes.<p>We want to secure with 2 factor here in our offices, but it involves giving 10 people the app and possibly getting spammed every time someone logs in. I realize they went for this approach rather than have your average user type in numbers but I can't help but feel confused by this move.
Mozilla Personna also uses pub/private key pairs, btw. And it seems just fine.<p>OTPs are great and all but in the end you keep the damn unhashed secret on all machines that have to accept the OTP.