First, see these headlines and stories:
- TechCrunch: “In Our Inbox: Hundreds Of Confidential Twitter Documents“
- TechCrunch: “Twitter’s Financial Forecast Shows First Revenue In Q3, 1 billion users in 2013“
- TechCrunch: “Another Security Tip For Twitter: Don’t Use “Password” As Your Server Password“
- TechCrunch: “Twitter’s Internal Strategy Laid Bare: To Be ‘The Pulse Of The Planet‘”
- NYT: “Twitter Hack Raises Flags on Security“
- Twitter Blog: “Twitter, Even More Open Than We Wanted“
- NEW 2009-7-19: TechCrunch: “The Anatomy Of The Twitter Attack” (blow-by-blow description and how-to manual)
- New 2009-12-18: TechCrunch: “The Anatomy of The Twitter Attack: Part II” (Twitter’s latest attack — DNS host compromised)
- New 2012-8-6: Wired: “How Apple and Amazon Security Flaws Led to My Epic Hacking“
Now, ask yourself this?
Is having (good) two-factor authentication (TFA) on its Google Apps and Gmail accounts something that Twitter would pay for? A GToken, perhaps, for each user?
Of course, it is. And, to answer the begged question: Yes, TFA could have prevented this breach. NEW: See “The Anatomy Of The Twitter Attack” and consider what would have happened if Twitter would have been using TFA (and it was required for password resets).
It’s the same with many other individuals and companies. In fact, if good TFA is easily accessible, it will become a requirement, not just the differentiator it is now. Companies who tell their customers, partners, investors, lenders, etc. that they use security best practices will have to use TFA.
Mini rant / idea:
It’s 2009, and every person and company who wants should be able to get one token (or iPhone app or whatever) and register/authenticate it with websites that support it (somewhat similar to the OpenID or OAUTH model).
So there might be an OpenTFA.com or 1token.com website (or whatever) where consumers and companies buy these things and developers develop, API, implement, whatever. BTW, if anyone is interested in those domain names, get in touch.
2010-1-7 Update: 768-bit RSA cracked. For you hackers and crackers out there: CryptoCracker.com, where, for a fee, you can submit a cracking task to a cluster and have it send you the results when it’s done. Price is set according to a matrix: crackable items down the rows and turnaround times down the columns. The harder the crack and the faster you want it completed, the higher the fee.
Best to do everything open source. Many reasons for that, especially with cryptography and security (see your favorite crypto geek / security geek websites).
Why not do this and do it now? Yes, I’m aware of the problems. F-ck ‘em, problems are opportunities. Actually, people are already working in this direction, including Stina Ehrensvärd, CEO and founder of Yubico. Stina was one of the panelists at the recent TechCrunch event Mike, Petra, Rassami, and team put on in Stockholm last month (official page and BuzzPal Blog page).
PS: Why did TechCrunch get so many links? Because they (Mike Arrington and team) broke and drove the story.
2009-7-17 UPDATE: From this Google blog post: “since 2006 we have supported SAML Single Sign On, a protocol that allows organizations to use two factor authentication solutions such as certificates, smartcards, biometrics, one time password devices, and other stronger tokens.”