I heard that Twitter recently announced two-step password account verification for user accounts. I’m not entirely sure what it is, but given how many people seem to have their Twitter accounts hacked, I’d love to learn more and set it up. What’s the scoop, Dave?
Great question! Anything that improves account security on any site is a good thing, and a popular social media service like Twitter is a definite target for hackers and other malicious online users. Better account security = good.
I’ve written extensively about 2-step verification, including how to set up 2-step verification for Facebook, 2-step verification for PayPal, and setting up 2-step security for Google Gmail.
But let’s back up a bit. When you have a regular online account, you have one-step verification and it’s based on “what you know”: an account and password pair. For Twitter, my account name is @DaveTaylor and my password is, um, well, secret. But it’s not that secret because someone with a wifi filter app could potentially pull it out of the network traffic if we’re both on the same network. So it’s “what I know”, but someone else could foreseeably learn it too. Bad.
A two-step verification system expands this to be both what you know and “what you have”: your mobile device. I’m pretty much never without my smartphone, and that’s a lot harder for someone to hack or duplicate, so with 2-step account verification set up, I’ll need to both know secret information (my password) and have my smartphone at my fingertips (what I have). Without both, the account/password pair are useless and I’ll get a notification on my phone that someone’s trying to log in (which will immediately cause me to change my password!)
Standard Twitter accounts are one-step, of course, so if I told you my password, you could log in and do whatever you wanted, including changing the password to something I couldn’t guess. Bad news. So let’s definitely set up that 2-step verification…
To start, log in to Twitter and, using their Web browser interface, click on the gear wheel on the top right:
As you can see, select “Settings” to proceed and here’s what you’ll soon see on the left side of the page:
Before you go any further, verify that Twitter has your correct mobile number. Without it – and without the ability to accept SMS text messages – you can’t proceed. To do that, click on “Mobile” and update it as needed.
Now click on “Account” on the left and scroll down until you find this:
Click on “Require a verification code when I sign in” and, as expected, Twitter wants to verify you have a smartphone, you can receive SMS messages, and you have the correct phone number on file:
Ready?
Deep breath.
Click “Okay, send me a message” and within a few seconds you’ll receive something similar to this message I got on my iPhone:
Interestingly, it doesn’t send a numeric code or anything similar, it just sends that generic message and asks you “good? got it?”, as you can see in your Web browser. In fact, you don’t even have to say “got it” because if it didn’t fail, Twitter assumes you’re good to proceed…
Enter your password again to save the fact that you’re enabling 2-step verification and you’re done:
Done.
Now, what’s it look like in action? Log out of your Twitter account and go to log in again. You’ll see the usual account and password pair:
Now, however, when you’ve entered the “what you know” portion of your account verification process and clicked “Sign in”, something new happens:
On your phone, an SMS text message will be received with a six-digit code (the “what you have” proof) similar to 203493. Enter it, click “Submit” and you’re in.
Sweet. My take: if you want better account security, sign up for 2-step verification on every single service that offers it, from iTunes to PayPal, Yahoo Mail to Google Mail. It’s just a good idea.