Skip to content

Talking Identity

Menu
  • Blog
  • Speaking Portfolio
  • Media & Publications Hub
  • About Talking Identity
  • About Me
HomeThe Cloud Identity SeriesThe Conundrum of 2FA meets the Enigma that is PAM
April 24, 2013

The Conundrum of 2FA meets the Enigma that is PAM

“It’s a mystery. Broken into a jigsaw puzzle. Wrapped in a conundrum. Hidden in a Chinese box. A riddle.”
– The Riddler, The Long Halloween

ArkhamCityRenderRiddler_SmallYesterday’s hack of the AP’s Twitter account was big. Not only did the impact it had on the stock market prove Ranjeet’s thesis that Twitter is now a SOX (Sarbanes-Oxley) application, it added to the long list of Twitter hacks that have led to repeated calls for Twitter to add two factor authentication (2FA) for their accounts. And the news that came out in the immediate aftermath of the AP hack is that Twitter is working on adding 2FA.

But this creates an interesting issue. Pretty much everyone that added 2FA after the now legen…wait for it…dary Mat Honan hack implemented the same mechanism: add a mobile number to the account, and supplement the normal password based authentication with a verification code that is sent to that mobile device via SMS. Works pretty well for your Google mail, your Facebook account, your iCloud account. But Twitter has an interesting challenge here (which may be why they didn’t rush to add it).

This method works pretty well when we’re talking about a personal Twitter account. But the accounts that are most likely to be attacked, and therefore in most need of stronger authentication, are the channel accounts – for brands, celebrities and organizations (like the AP). These accounts are usually not operated by an individual, but rather by teams of people. Twitter has no feature to support this, though there are any number of Twitter tools out there that facilitate this by adding a management layer on top. However, whether you’re using a tool or just managing this ad-hoc, it all relies on the sharing of login credentials – the Twitter username and password. So what happens when 2FA is added to such accounts? Whose mobile number will be provided to Twitter? As Eve Maler pointed out in an excellent blog post, 2FA effectively kills any password sharing based approach.

It’s a far more interesting question to consider when you expand the arena to include enterprise applications. The IAM suite of products includes Privileged Account Management or PAM (aka PUM) products that are specifically designed to tackle the problem of shared accounts, usually highly sensitive (and therefore needing stronger protection) admin accounts. PAM products usually work by taking over the use and management of the shared password, either signing the user in transparently (without revealing the password) or revealing a one-time use password after the user has authenticated themselves using their own unique credentials. There’s a very direct impact on these tools if the application they are managing authentication to suddenly changes their authentication model. And with more and more enterprise applications now in the cloud, and adopting this kind of 2FA, one wonders what the future of PAM will look like (welcome to my world).

Maybe this is why Twitter didn’t rush to add 2FA to their accounts, because they realized that doing so would break the usage model of some of their most valued users – channel managers. And if they now roll out fast and cheap 2FA (as Eve put it) in response, then it’s likely that the accounts they are doing this for are unlikely to turn it on because of the impact it has on their operational model for using/managing Twitter.

The only real short-term answer for Twitter (and similar applications) is to roll out true delegation of usage rights to multiple identities. The model by which Facebook Pages are managed, where people authenticate using their individual Facebook identities and are granted fine-grained (!) admin rights, comes to mind here. This then ties back to Twitter being a SOX app and the need for IAM systems to treat these applications like any other enterprise application.

The only real long-term answer for all applications is to do real (not fast and cheap) MFA (multi-factor authentication) and eliminating shared accounts by combining a delegated authorization model with claims-based recognition of identities. That, unfortunately, is a much harder problem to solve.

[UPDATE 5/23/2012] – So Twitter has finally added two factor authentication. And it is, as expected, not done the way that they needed to do it (and why are they calling it “login verification”?). Let’s see how channel managers respond, and if Twitter notices (when they track who turned it on).

Tags:Multi-Factor Authentication, Passwords Must Die, Privileged Account Management, Shared Accounts, Twitter

Related Posts

#FAIL No More: The Rise of the Self Defending Enterprise

O SCIM, Where Art Thou?

The Epic Hacking of Mat Honan and Our Identity Challenge

About The Author

Nishant Kaushik

One Comment
  1. Bob Pinheiro

    Here’s one possible approach to this problem:
    https://www.idecosystem.org/wiki/Delegated_Authentication_for_User_Managed_Access

    April 24, 2013

Recent Posts

  • RSAC 2025: AI is Everywhere. Trust? Not So Much.
  • Signing Off from Uniken: Thank You for the Adventure
  • The Call Is About To Come From Inside The House
  • Broadening the Definition of Identity Practitioner
  • Talking Ethics in Identity at Identiverse 2024

Recent Comments

  • In memoriam: Vittorio Bertocci - on And Just Like That, He’s Gone
  • Talking Identity | Nishant Kaushik's Look at the World of Identity ManagementHow Not To Enhance Your Customers Security - Talking Identity | Nishant Kaushik's Look at the World of Identity Management on The Epic Hacking of Mat Honan and Our Identity Challenge
  • Talking Identity | Nishant Kaushik's Look at the World of Identity ManagementHow Not To Enhance Your Customers Security - Talking Identity | Nishant Kaushik's Look at the World of Identity Management on #FAIL No More: The Rise of the Self Defending Enterprise
  • NishantKaushik on That Time Enabling Two-Factor Authentication Made Me Feel Worse
  • Gabor Szathmari on That Time Enabling Two-Factor Authentication Made Me Feel Worse

Recent Posts

  • RSAC 2025: AI is Everywhere. Trust? Not So Much.
  • Signing Off from Uniken: Thank You for the Adventure
  • The Call Is About To Come From Inside The House
  • Broadening the Definition of Identity Practitioner
  • Talking Ethics in Identity at Identiverse 2024

Test

Test It Out

Recent Comments

  • In memoriam: Vittorio Bertocci - on And Just Like That, He’s Gone
  • Talking Identity | Nishant Kaushik's Look at the World of Identity ManagementHow Not To Enhance Your Customers Security - Talking Identity | Nishant Kaushik's Look at the World of Identity Management on The Epic Hacking of Mat Honan and Our Identity Challenge
  • Talking Identity | Nishant Kaushik's Look at the World of Identity ManagementHow Not To Enhance Your Customers Security - Talking Identity | Nishant Kaushik's Look at the World of Identity Management on #FAIL No More: The Rise of the Self Defending Enterprise
  • NishantKaushik on That Time Enabling Two-Factor Authentication Made Me Feel Worse
  • Gabor Szathmari on That Time Enabling Two-Factor Authentication Made Me Feel Worse

Connect

  • nishantkaushik.com
  • Follow on LinkedIn
  • Follow on Bluesky
  • Follow on Mastodon

Categories

  • Ask Dr. K (12)
  • Identity Services (36)
  • Identropy IDaaS (4)
  • Insight IdM (159)
  • Musings (4)
  • Oracle Identity Management (61)
  • Personal Identity Management (33)
  • The Cloud Identity Series (24)
  • Tips & Techniques (4)
  • Uniken (1)
  • User-Centric Identity (24)

Disclaimer

Talking Identity is my exploration of the world of Identity Management. The views expressed on this blog are my own and do not necessarily reflect the views of my employer (doesn’t mean I’m not trying hard to mold them in my own image).

© 2025 Talking Identity - Design By Admirable Themes
Back to Top ↑