blog
Two-Step Authentication

Twitter And Its Broken Two-Step Authentication Process

Bad design can creep into any process, whether small or the much larger Twitter. I was thrust upon this when I (rather innocently) changed my phone number – but forgot to turn off Twitter’s “login verification” process first. There is no way I could have known, but my specific use case of Twitter, coupled with a phone number change, locked me out. After much consternation, I understood Twitter’s two-step process is broken.

Without account access, I was placed in the (up to) three days, but much longer, the process of trying to regain access to the account. This included my having exhausted all known recovery options (each, that did not take into account two-step verification). Next, I had to contact support and wait until they emailed. Eventually, they were nice enough to turn off two-step and I once again had account access. But, being the idiot who didn’t have a “backup code”, I wanted to make sure that this time I got one and recorded it for posterity.

Probably worse, is Twitter Support’s unwillingness to acknowledge the problem, or act on the issue. They explained that I “should have had a backup code”. As I continued to email Twitter, their response was to link me to the same support page I had already seen. Now, I can be a dope, but this left me reading the same lines of text over and over. As I read it for the fourth or fifth time, the problem became clear: Twitter’s two-step process is broken.

Twitter's Backup Code Help
Is it clear that backup codes can’t be made via SMS?

Twitter’s two-step implementation (or login verification) currently includes the ability to get the second step verified on a thing you have; namely, your smartphone. You can be sent a verification by way of a text message (SMS) or via the official Twitter application. This is a code you use to login to Twitter’s website or any other implementation of Twitter’s two-step.

If for some reason you can’t get that second step code, Twitter offers a backup option. This “backup code” appears to be a backdoor code that gets you past the login verification and into your account; presumably, so you can correct the error and continue using the process.  So, making it clear and easy to users how they might get a backup code, and ensuring all users of two-step authentication are given this option is a no-brainer right? Well, Twitter doesn’t do this.

The trouble is, using two-step by way of SMS is a stunted process on Twitter. You can’t use and change phone numbers easily. And, probably worse, there is no way to generate a backup code if two-step is enabled on SMS (and you don’t use the Twitter app). Once I changed phone numbers (not knowing a backup code even existed), I was essentially locked out of my Twitter account. That’s when you know a feature is not correctly implemented – it doesn’t work for a subset of users.

You might say, just install the Twitter application, generate a backup code, save it and move on. Or, you might also say this probably only affects a small percentage of Twitter users, since Twitter has been so effective at destroying third-party mobile clients. In both cases, you aren’t completely wrong. But, the value in the effort to expose problems and bugs is in the chance Twitter might take notice and fix what’s broken. A guy can dream.