I heard that Twitter supports two-step password account verification for user accounts. I’m not entirely sure what it is, but given how many people seem to have their Twitter accounts hacked, I’d love to learn more and set it up. What’s the scoop, Dave?
Great question! Anything that improves account security on any site is a good thing, and a popular social media service like Twitter is a definite target for hackers and other malicious online users. Better account security = good.
I’ve written extensively about 2-step verification, including how to set up 2-step verification for Facebook, 2-step verification for PayPal, and setting up 2-step security for Google Gmail.
WHAT IS TWO-STEP VERIFICATION?
But let’s back up a bit. When you have a regular online account, you have one-step verification and it’s based on “what you know”: an account and password pair. For Twitter, my account name is @DaveTaylor and my password is, um, well, secret. But it’s not that secret because someone with a wifi monitoring app could potentially pull it out of the network traffic if we’re both on the same network. So it’s “what I know”, but someone else could foreseeably learn it too and then gain unfettered access to my account. Bad.
Worse is that any savvy hacker immediately changes the account password and recovery methods so not only could they masquerade as me, they could lock me out of my own account. Muy malo.
A two-step verification system (also known as two-factor authentication) expands this to be both what you know and “what you have”: your mobile device. I’m rarely without my smartphone, and that’s a lot harder for someone to hack or duplicate, but with 2-step account verification setup I’ll need to both know secret information (what I know) and have my smartphone at my fingertips (what I have). Without both, the account/password pair by itself is useless and I’ll get a notification on my phone that someone’s trying to log in (which will immediately cause me to change my password!)
Standard Twitter accounts are one-step, of course, so if I told you my password, you could log in and do whatever you wanted, including changing the password to something I couldn’t guess. Bad news. So let’s set up that 2-step verification…
SET UP TWO-STEP VERIFICATION ON TWITTER
To start, log in to Twitter on your computer and, using the Web browser interface, click on the “••• MORE” link on the left side. This will bring up the “More” menu, from which you can choose “Settings and Support” then “Settings and Privacy”, then, finally, choose “Security and account access” on the left side. Here’s what you’ll soon see on the left side of the page:
At this point click on “Two-factor authentication” to move to those specific settings…
As shown, there are three basic types of two-factor authentication, offering “what you have” access in addition to your existing (hopefully robust) password: Text messaging on your smartphone, an Authentication app, also on your smartphone, and a physical security key device. The latter is typically for companies that issue small gizmos that look like house keys but typically slip into a USB port on the computer. Very cool, but more complicated.
For 95% of users, either SMS text messaging or an Authentication app is the way to go. Or set up both, as I do!
SET UP TEXT MESSAGE AUTHENTICATION ON TWITTER
Let’s start with that text message authentication. Obviously, this means Twitter needs your current and correct smartphone number, but you probably already entered it when you signed up for Twitter in the first place. We’ll verify it in this step anyway.
Click on the box adjacent to “Text Message” and an explanatory message appears, complete with a hard hat!
Click on “Get started” and if you don’t have a cellphone number associated with your account it will prompt you to enter it. Once you do, or if you already have one associated, it’ll ask that you verify you have access to it:
Ready?
Click “Send code” and within a few seconds you’ll receive an SMS text message similar to this I received on my iPhone:
Once you click “Send code” Twitter also moved to a window where it’s prompting you to enter that secret code:
Enter the code sent and you’ve confirmed your phone and enabled 2-step verification:
Done.
SET UP AN AUTH CODE APP LIKE “AUTHY” TOO
While you’re in the 2-step authentication setup area, I also recommend you enable and configure an AUTH app, which can be a good backup if for some reason you lose your phone number or it changes. They’re surprisingly easy to use and one of my favorites is AUTHY. Download your own favorite app to your smartphone, then go back to the main Two Factor Authentication screen, but this time choose “Authentication app”. The pop-up is subtly different:
If nothing else, we’ve lost our hard hat. Don’t tell OSHA, okay? 🙂
Click on “Get started” and the process will be rather different because you’re pairing a phone app with the Web site, and that’s done through a handy QR Code.
For obvious reasons I have obscured my own QR code because, well, I don’t want you setting up an app for this task! Yours won’t have an ominous skull and crossbones superimposed.
Meanwhile, on the phone, the AUTHY app offers up a view of the accounts I already have enabled and a “+” button to add a new site pairing. A tap on the “+” and the app offers this info:
No surprise, tap on “Scan QR Code” then point your phone at your computer screen so the QR code is front and center. It scans quickly and then allows you to set up a nickname for the authorization:
I’m fine with the default, so a tap on “Save” and it’s ready to go, with a code that changes every 30 seconds:
That’s all that’s needed. Now any time I open up the AUTHY app and choose Twitter, I will get a 6-digit code that changes every 30 seconds in a way that Twitter itself recognizes; enter this code and I’m logged in!
LOGGING IN TO TWITTER WITH 2-FACTOR AUTHENTICATION
What’s it look like in action? Log out of your Twitter account and go to log in again. You’ll see the usual account and password pair prompt, where you will still need to enter both correctly. Now, however, when you’ve entered the “what you know” portion of your account verification process and clicked “Sign in”, something new happens:
On your phone, an SMS text message will be received with a six-digit code (the “what you have” proof). Enter it, click “Submit” and you’re in. Want to use the Authentication app? Click on “Choose a different verification method” instead. Easy.
That’s it. Now you know how to set up two-factor authentication for Twitter, whether you prefer SMS text messages or an Authentication app. If you want better account security, sign up for 2-step verification on every single service that offers it, from iTunes to PayPal, Yahoo Mail to Google Mail. It’s just a good idea.
Pro Tip: I’ve been on Twitter since the early days and have written lots and lots of useful tutorials. Please check out my twitter help area for more useful guides. Oh, and why not follow me, @DaveTaylor, on Twitter too? Thanks!