Sunday, May 12, 2013

Two-Factor Authentication for Social Media Sites

Over the past couple weeks there's been a lot of talk about social media accounts being compromised and the legal aspects of a company having their accounts owned. I for one don't think there needs to be regulation on how companies secure their social media accounts. Increased regulation doesn't assume better security. Ever.

With that being said, I think we need to start looking at how easy it is for an attacker to compromise social media credentials (Key loggers, malware, XSS, phishing, etc.). I read a stat today which said, if you've had a social media account longer than 5 years there's a 50% chance you've had your credentials compromised. That's a pretty scary statistic.

One way to limit the risk of social media accounts being compromised is by using two-factor authentication. Two-factor authentication takes both something you know (your password) and something you have (a token of some sort) and applies both of them to your login. So if an attacker is able to easily steal your credentials  it's unlikely that they'll have your token. These tokens can be generated by many systems, but in the case of social media we're going to use the free Google Authenticator app.

Google Authenticator is a free download that uses the Time-based One Time Password (TOTP) that allows you to generate codes/tokens from the Google app and input them into variety of sites that use the protocol for a second factor of authentication. A few sites/software that Google Authenticator can be used for are,, Google Apps, Wordpress, Microsoft, etc. the list goes one. This isn't a silver-bullet when it comes to securing logins, but it does limit the risk that both the password and the token will be stolen.

After seeing the mini-market crash with the Associated Press's (AP) Twitter account compromise I started thinking about ways to secure social media accounts in an enterprise and was reminded that this technology could be placed on multiple sites (like Facebook), but that Twitter was still behind the eight-ball on this feature. I'm sure the $136 million dollar market crash might have pushed this Twitter feature to the top of QA's list.

So if you're using social media in anyway, especially from a corporate standpoint, I would highly recommend setting up two factor authentication with Google Authenticator (details can be found here), unless you're using Twitter. Which in that case you'll have to wait with the rest of us.

No comments:

Post a Comment