Twitter has “finally” added two-step authentication to all accounts (always with the “finally,” tech writers). This lets you require a one-off text message code every time you log in. Nobody without access to your phone can log into your account; ergo, only you can log into your account.
This is progress. Google has two-step, as do Facebook, Dropbox and even Yahoo. Sure, Twitter probably should have had it a long time ago, and it will prevent some hacking. But it might not be able to fix the problem that caused so many people to call for this feature in the first place.
Many, if not most, large brands allow multiple people to have access to their Twitter accounts, but Twitter two-step only lets you add one phone number to your account. A lot of the accounts that have been hacked recently, including accounts associated with the AP, Burger King, 60 Minutes and The Onion, were likely managed by multiple people.
The higher the profile of the account, the more valuable it is to hackers, and the less likely it is to be managed by a single person. Here’s a social media editor at NBC:
Bummed that it looks like Twitter two step verification doesn’t make sense for accounts with many people managing http://t.co/AD48wbRPRW
Twitter could add the option to authenticate with multiple numbers, but that would be 1) kind of clumsy and 2) very annoying to use. (You could achieve the same effect now by setting up multiple phones with the same Google Voice number. But if you’re the kind of person who might fall for a spear phishing attack, you’re probably not going to do that).
There’s no easy answer to what Twitter should do about these hacks — this, the solution other sites have been able to depend on up until now, doesn’t work for shared accounts. And, as BuzzFeed reported earlier this month, hackers are learning their way through two-step, too.
Twitter’s official line to journalists after the last round of hacks was to designate one computer for tweeting only. A nice idea, I suppose, but one that nobody will follow: a modern brand account, be it a news organization’s or one run by an ad agency, is managed not just by multiple people but from a vast array of devices. In other words, it’s as vulnerable as ever.