twitter and two factor take two

In 2014, I tried to enable two factor on Twitter and had to turn it off. Given the recent news that Twitter encourages everyone to change passwords, I decided to take another stab at it. I also learned that Twitter has more options for two factor now like Google authenticator.

Step 1: Changing the password

First, I changed the password. I clicked on the drop down with my picture and chose “settings and privacy”. Then I choose password and changed it. I got an email letting me know the password changed. Good.

Step 2: Surprise step – review apps

Twitter then reminded me that I have 18 applications that can access my account and asked if I wanted to review them. 18 sounds high so I said yes. There were a few general categories:

  • Apps with read only access – given that pretty much everything on twitter is public, I don’t mind that I gave a few sites access to read my profile. I did find one that was just for a one time test and doesn’t need it anymore.
  • Piping my tweets to Facebook – yes. I definitely want this.
  • Various twitter clients – some I don’t use anymore so cleaned this up a bit as well.
  • “social reputation monitoring” – it says I gave this site read/write/direct message access in 2015.  I don’t remember this and I certainly don’t want them to have it anymore. Revoke!
  • Linked in – While I don’t mind them having read access, I don’t want them having write access. Revoke. Same with Disqus. I wasn’t nearly paranoid enough in 2013.

Now I have 13 apps with read (or read/write) access. Still a lot, but at least I know what they are. It’ll be interesting to see which of the read only ones break. “I don’t mind” is different from “I really want it to work”

Step 3: Login verification (two factor)

As I was looking for two factor, I saw “login verification” under account options. That turns out to be what Twitter is calling two factor. I guess it sounds less scary.

However “setup login verification” was disabled. It says I need to confirm my email to turn this on. Ok. So how do I do that? It appears the only way to get a confirmation email is to change your email address. It was a bunch of steps, but I did:

  1. Change to myRealEmail+twitter@gmail.com (because gmail lets you add a plus and more text and still sends to you)
  2. Enter twitter password to confirm it is me
  3. In email, click confirmation
  4. Repeat these three steps to switch back to and confirm my “short form” email. (so I remember what I gave them)

Ok time to turn on two factor with SMS

  1. In account settings, click “setup login verification”
  2. Click start
  3. Enter twitter password to confirm it is me
  4. Send SMS code
  5. Enter SMS code from phone
  6. Generate a backup code in case I ever have issues

Now I have the option to setup alternate two factor methods

  1. In account settings, click “review your login verification methods”
  2. Click “setup” next to mobile security app
  3. Use google authenticator to scan the barcode
  4. Enter the generated code from google authenticator into twitter

Finally, I clicked “edit” next to text message verification so I am just using google authenticator and not text message.

Step 4: My twitter clients

Ok. Now for the test. Can I use Twitter in the devices I care about most? Things seem to work. Will post an update if that no longer stays the case!

Updates:

  • I can still use twitter on all my devices. So I don’t get prompted to login after the password change or two factor. It only takes effect for new logins. (This is good; I have a lot of places that I am logged into twitter.)
  • I got an email from an identify monitoring service that they no longer have access to my twitter. This service only told me about my own tweets so I’m leaving them without access. I was hoping they would tell me about other people’s tweets. I know what I tweet. And as fun as it is to be told I used the word “password” in my twitter…

2-factor authentication and twitter

I’ve had two factor for gmail enabled for two years.  This morning, I set up two factor for github and some others due to Heartbleed (check if sites you use are affected), Then there was Twitter.  After the other sites being straightforward, I expected the same from Twitter.  Twitter did not deliver.  I had to turn off two factor.  I’m left with secure my password and hope I notice if someone logs into my account.  (I think my friends would tell me about bad direct messages)

How to enable on a mobile device

  1. Install the official twitter app on my iPad
  2. Follow the menus described here
  3. Write down the backup code
  4. I logged off in a browser and re-logged in.
  5. Then I went to the twitter app and approved my login under settings.

And if it ended here, all would be fine.

Adding a phone number

I thought about adding a phone number as another option.  Don’t bother.  They are mutually exclusive.

Apparently they are mutually exclusive.  I cancelled the phone number sign up process part way through due to usability issues.  (Twitter wants you to text GO to 40404.  I don’t know how to do that on my BlackBerry.  I know how to reply to texts and text real numbers.  And I don’t want to lookup how to do it since I likely never will again.)

Anyway, when I clicked cancel on the process, it had already turned off my iPad option so I had to set it up again.  Grumble.

The BlackBerry app

Once I had two factor turned on, I was no longer able to logon to Twitter using the BlackBerry app.  A quick search online says I’m not the only one with this problem and the BlackBerry app just plain doesn’t support it.  Which means I can’t use two factor for Twitter.

enabling more two factor – paypal, dropbox, linked in and yahoo

I’ve had two factor for gmail enabled for two years.  This morning, I set up two factor for github.  Due to Heartbleed (check if sites you use are affected), I checked who else permits two factor to revisit what I should turn on.  Twitter has it’s own post because it didn’t go smoothly like the others did.

I had originally decided not to turn on two factor for sites that don’t provide an app as I prefer not to get texts.  However, I notice they only text you when you log in from a new device.  And I get enough junk texts by now that this is a rounding error.

Paypal

I have a paypal account but hardly use it.  It was so secure that I didn’t even know my main password.

  1. Go to this page.
  2. Choose the option to use a mobile number (vs a $30 device)
  3. Enter your phone number
  4. Enter the code sent via a text to prove you control that phone number.  Do so quickly.  The code expires in 5 minutes.

Dropbox

Dropbox was similar to github.  It uses Google Authenticator plus a backup phone code and backup text string.  The only annoyance was that I had trouble scanning the QR code.  I had to drag the browser to my second screen (which is larger so has better resolution.)

Dropbox didn’t make me re-connect my existing sessions.  I left them alone because I don’t want to sync all that data again.  Presumably two factor will protect me against anyone else using my login.

Linked in

  1. Go to the security page,
  2. Click Turn on for two factor
  3. Enter your phone number
  4. Enter the code sent via a text to prove you control that phone number

Yahoo mail

I hadn’t secured yahoo because I use it as my “backup” email provider.  Why not though.

  1. Go to this page.
  2. Enter your phone numbe
  3. Enter the “six digit” code sent via a text to prove you control that phone number.  (My “six digit” code was five digits.  I guess they are counting invisible leading zeros)