2-factor authentication and twitter

Main menu:


Recent Posts


April 2014
« Mar    

Past Posts

Java/Java EE



2-factor authentication and twitter

April 12th, 2014 by Jeanne Boyarsky

I’ve had two factor for gmail enabled for two years.  This morning, I set up two factor for github and some others due to Heartbleed (check if sites you use are affected), Then there was Twitter.  After the other sites being straightforward, I expected the same from Twitter.  Twitter did not deliver.  I had to turn off two factor.  I’m left with secure my password and hope I notice if someone logs into my account.  (I think my friends would tell me about bad direct messages)

How to enable on a mobile device

  1. Install the official twitter app on my iPad
  2. Follow the menus described here
  3. Write down the backup code
  4. I logged off in a browser and re-logged in.
  5. Then I went to the twitter app and approved my login under settings.

And if it ended here, all would be fine.

Adding a phone number

I thought about adding a phone number as another option.  Don’t bother.  They are mutually exclusive.

Apparently they are mutually exclusive.  I cancelled the phone number sign up process part way through due to usability issues.  (Twitter wants you to text GO to 40404.  I don’t know how to do that on my BlackBerry.  I know how to reply to texts and text real numbers.  And I don’t want to lookup how to do it since I likely never will again.)

Anyway, when I clicked cancel on the process, it had already turned off my iPad option so I had to set it up again.  Grumble.

The BlackBerry app

Once I had two factor turned on, I was no longer able to logon to Twitter using the BlackBerry app.  A quick search online says I’m not the only one with this problem and the BlackBerry app just plain doesn’t support it.  Which means I can’t use two factor for Twitter.

enabling more two factor – paypal, dropbox, linked in and yahoo

April 12th, 2014 by Jeanne Boyarsky

I’ve had two factor for gmail enabled for two years.  This morning, I set up two factor for github.  Due to Heartbleed (check if sites you use are affected), I checked who else permits two factor to revisit what I should turn on.  Twitter has it’s own post because it didn’t go smoothly like the others did.

I had originally decided not to turn on two factor for sites that don’t provide an app as I prefer not to get texts.  However, I notice they only text you when you log in from a new device.  And I get enough junk texts by now that this is a rounding error.


I have a paypal account but hardly use it.  It was so secure that I didn’t even know my main password.

  1. Go to this page.
  2. Choose the option to use a mobile number (vs a $30 device)
  3. Enter your phone number
  4. Enter the code sent via a text to prove you control that phone number.  Do so quickly.  The code expires in 5 minutes.


Dropbox was similar to github.  It uses Google Authenticator plus a backup phone code and backup text string.  The only annoyance was that I had trouble scanning the QR code.  I had to drag the browser to my second screen (which is larger so has better resolution.)

Dropbox didn’t make me re-connect my existing sessions.  I left them alone because I don’t want to sync all that data again.  Presumably two factor will protect me against anyone else using my login.

Linked in

  1. Go to the security page,
  2. Click Turn on for two factor
  3. Enter your phone number
  4. Enter the code sent via a text to prove you control that phone number

Yahoo mail

I hadn’t secured yahoo because I use it as my “backup” email provider.  Why not though.

  1. Go to this page.
  2. Enter your phone numbe
  3. Enter the “six digit” code sent via a text to prove you control that phone number.  (My “six digit” code was five digits.  I guess they are counting invisible leading zeros)

github and two factor authentication

April 12th, 2014 by Jeanne Boyarsky

Two years ago, I set up two factor authentication for my gmail account.  Last year, github announced the ability of two factor.  I hadn’t noticed at the time.  Today, I logged on to change my password since github was in the list of applications affected by Heartbleed and saw the option.

How it works

Github gives you a choice of second factor

  • Google Authenticator mobile application (I already had the iPad app installed for gmail so this was convenient)
  • text to mobile phone (I have this set a secondary)
  • written down one time use passwords (kept as tertiary)

Linking the mobile app to github

  1. Open the mobile app
  2. Click “edit” pencil
  3. Click “+” to add an account.
  4. On your computer, go to your github account settings and click to enable two factory.  You will be given a QR code to scan which automatically links the two.  There is also  the option of typing in a long text code.

That’s it.  Now Google Authenticator generates two numeric codes.  One for gmail and one for github.

Actually using two factor

Unlike gmail, you probably don’t usually sign on two github using the browser.  Let’s look at three ways of signing in.

Through the browser

  1. I immediately logged out in the browser.
  2. Enter my password to sign back in
  3. Enter my two factor code

Through the github Mac app

  1. Github > Github preferences
  2. Click sign out
  3. Enter my username/password to sign back in
  4. Enter my two factor code

Through the command line

  1. On the account settings page, create a new personal token
  2. Leave the default privileges checked.  (It’s great there is this much control)
  3. git credential-osxkeychain erase
  4. git pull   (or any other operation that requires a network call to github)
  5. Enter your user id
  6. Enter your new generated token (not your password)

Current apps

As you might expect, the account settings page shows which apps have access.  I saw “GitHub for Mac” and “GitHub for Windows” on there.  My first thought was “I don’t use Windows.”  Then I remembered that I use git to communicate between my Mac and Windows VM.

Github references

Action items

If you haven’t already, please change your passwords for sites in this list or enabling two factor will protect you in the future.  Also change your passwords for any sites which use the same password as one of those in the list.