I enabled two factor on many sites last year. Amazon is a bit late to the party, but they finally have two factor support. While they waited a long time, they did a good job with it.
Sign up was easy. They give you a choice of an authenticator app including scanning with your device to connect. Or you can use a mobile phone number for voice or text. Or you can use a landline with voice. You can set a second of these options as a backup. I like that there were choices.
You are also asked if the current device is trusted. Which is good as you don’t get prompted repeatedly from your main/home computer.
I also took this opportunity to check on twofactorauth.org to see if any other sites I use have added support. I was disappointed by how many banks don’t support two factor. I tweeted at four of them with the link on the page. (I don’t have accounts at all four).
I emailed a company today asking for my account to be linked. I did NOT ask for a password reset. What I got was an email with plain text copy of my password. Aghhhhh! That’s just asking for someone to hack my account (or all the accounts.) Passwords should be stored using a one way hash at least.
Problem 1 – username
My user id is not my last name, email or anything I have any shot of remembering. And I didn’t get to pick it. Which means it is written down.
Problem 2 – storing the password in plain text
This company shouldn’t be storing passwords in plain text or any “encoding” where they can get the original password. And the only thing I can think of to make that worse is to email the password.
Problem 3 – password requirements
Since my password was sent in the clear, I went to change it. I wanted to make it a sentence about not emailing the password. That way if someone does it again, he/she at least has to read my note. I changed the letter s to $ in my sentence as one might expect. Guess what? Only letters and numbers are allowed.
Really guys? It’s 2015.
I’ve had two factor for gmail enabled for two years. This morning, I set up two factor for github and some others due to Heartbleed (check if sites you use are affected), Then there was Twitter. After the other sites being straightforward, I expected the same from Twitter. Twitter did not deliver. I had to turn off two factor. I’m left with secure my password and hope I notice if someone logs into my account. (I think my friends would tell me about bad direct messages)
How to enable on a mobile device
- Install the official twitter app on my iPad
- Follow the menus described here
- Write down the backup code
- I logged off in a browser and re-logged in.
- Then I went to the twitter app and approved my login under settings.
And if it ended here, all would be fine.
Adding a phone number
I thought about adding a phone number as another option. Don’t bother. They are mutually exclusive.
Apparently they are mutually exclusive. I cancelled the phone number sign up process part way through due to usability issues. (Twitter wants you to text GO to 40404. I don’t know how to do that on my BlackBerry. I know how to reply to texts and text real numbers. And I don’t want to lookup how to do it since I likely never will again.)
Anyway, when I clicked cancel on the process, it had already turned off my iPad option so I had to set it up again. Grumble.
The BlackBerry app
Once I had two factor turned on, I was no longer able to logon to Twitter using the BlackBerry app. A quick search online says I’m not the only one with this problem and the BlackBerry app just plain doesn’t support it. Which means I can’t use two factor for Twitter.