nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Lucky you. Twitter offers you its 'Digits' (for mobe app sign-ins)

No ma – no passwords

By John Leyden, 24 Oct 2014

Twitter's launch of a service that provides a new way to sign up to apps without using passwords has received a cautious welcome from security experts.

The new service, Digits, is designed to offer application developers a simpler, password-free login option for their mobile applications.

The utility is designed to fit into the trend of anonymous ephemeral messaging with apps like Snapchat that rely on verified mobile phone numbers alone for sign-in, rather than the traditional ID and password combination. Digits uses SMS messages to control access to registered accounts. Twitter is providing a utility that can handle this process on behalf of application developers.

David Emm, principal security researcher at Kaspersky Lab, said the Digits login service potentially offers a benefit to users, app developers and Twitter.

"Consumers no longer have to worry about creating a login and password combination to set up an account with an app provider, and they don’t need to have an email address," Emm explained. "App developers don’t need to develop their own framework for verifying logins, and they won’t lose potential customers who are put off because they don’t have an email address... and Twitter gets more visibility into what its customers are interested in."

Emm reckons that the new service is security-neutral – offering neither improvement nor drawbacks from existing systems.

"The new service doesn’t impact security one way or the other," Emm said. "If someone were to lose their device, or have it stolen, then the number verification would still work – and anyone with access to the device would be able to access an app in the same way as the legitimate owner."

"Given that the app, phone number and one-time passcode will all be on the same device, there’s no improvement in security," he added.

Security would only be approved with Digits if the code was sent to a different device, something most people would find this inconvenient at best - or unworkable if they didn't have a second mobile.

"It [Digits] doesn’t represent a step backwards either. Currently, mobile apps don’t force a login each time the app is run anyway, so if someone steals a phone, and the owner isn’t using a PIN, passcode or fingerprint, the thief has access to everything – email, social networks and apps. In other words, security is dependent on a single-point-of-failure – the PIN, passcode or fingerprint used to access the device itself. Digits doesn’t change that," Emm concluded.

Digits was launched during Twitter’s first annual developer conference, Flight. More details of what the tool looks like and Twitter's sale pitch for it to developers can be found in a story by TechChrunch here.

Security consultant Paul Moore was sceptical about the technology, which he argued only offered convenience as a benefit and struck the wrong balance between usability and security.

"Twitter Digits is marketed as a method of killing/replacing passwords for mobile and web-based authentication; opting instead for a 'confirmation code' sent via SMS," Moore told El Reg. "In truth, the confirmation code is actually an OTP or one-time password. In my opinion, they’re not suitable for use as a sole method of authentication (or in this case, verification); it’s introducing unacceptable risks which are tricky to mitigate."

"A traditional, static password is a 'knowledge' factor, or something only the user knows. Despite many flaws, this method of authentication still provides a reasonably high degree of certainty that the bearer of the password is actually the account owner," he added.

Relying on Digits sets up all sorts of possible problems, according to Moore.

"What happens if your phone is stolen, or you lend it to a friend/colleague in the office? How do you revoke the access token to your device? If you’re reliant on a password at any point during revocation (logging into Twitter for example), you haven’t really 'killed off passwords'," he explained. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing