[falsedan]

When you are designing a two-factor security system, you have to select two of the following three sources of information to authenticate you: something you know; something you have; something you are. In twitter's case, they've chosen 'know' (password) and 'have' (phone).

The private key in on your phone. The two factors are: your password, and the private key on your phone. You have to have a phone with the twitter app installed.

[rodolphoarruda]

> ...you have to have a phone...

And that's a problem if you live in some cities of the so called third world where phones are stolen at the same rate bananas are picked from trees in Congo by monkeys. I don't feel comfortable at all about the "having a phone" part of my authentication process simply because the device can be stolen at any moment. My attorney had 16 phones stolen in the past 5 years. Virtually all the people I know had their phone stolen at least once. And if the idea of regaining access to your account without the phone is "hard" as claimed by Twitter's sec guys... ufff, I won't even bother to install the app thing. I think biometrics is the only security measure that will work in our violent cities here, not only for web services access, but for device usage itself.

[falsedan]

Someone compromising my twitter account does not compared to having my phone stolen! If your twitter account is a significant asset, you could keep a cheap smart phone on your desk as a smart card substitute, or practice strict password hygiene & not enable 2-factor authentication?

[ricardobeat]

Biometrics is not fundamentally different from using a password lock, just stronger. It's virtually impossible to break iOS' encryption with today's technology.

Or you know, just don't use a phone... there are plenty of companies offering password management solutions using browser extensions or desktop software.

[smsm42]

Do you really need to break iOS encryption? I'm not a big pro in iOS but I heard there are many forensic companies which specialize on extracting data from iOS devices, and from their pages[1] it looks like you can extract quite a lot of stuff from somebody else's phone.

[1] http://www.cellebrite.com/forensic-solutions/ios-forensics.h... http://www.elcomsoft.com/eift.html

[ricardobeat]

Doesn't appear to be the case: http://news.cnet.com/8301-13578_3-57583843-38/apple-deluged-...

Their 'physical analyzer' doesn't work from the iPhone4S or iPad 2 onwards (under Click here to view all supported iOS devices).

[smsm42]

Wait, so there's a backdoor, but police doesn't own it? Then I'm pretty sure NSA either has it or has a way to make Apple tell them how to use it, and it is done is some "security letter" manner that doesn't need a warrant and permissions from any non-kangaroo court. This is how these things are done these days. In any case, this confirms the backdoor exists and Apple has official queue for police to use it. One can only guess who else can access it and with which procedure...

[smsm42]

Strictly speaking, Twitter does not check what you "have" - it only checks that you "know" the secret key. If I stole your phone, dumped all info there and then returned the phone to you - I still could use the private key to fool Twitter into thinking I'm you, couldn't I?

The key is just harder to steal because it is big and is not sent out. But this doesn't seem to have much to do with phones...

[falsedan]

You've just described a physical token duplication attack. A consumer phone certainly is easier to attack than a SecurID or smartcard, but it's a far sight from a really really long password. For starters, the challenge response is calculated by the phone's hardware, so that the private key is not exposed.

The "what you know"-type authentication is literally what you know, not "I don't know it but it's written down on my phone, hang on a sec". You're supposed to be able to provide it without reference to notes (or Post-Its stuck to the bottom of keyboards).