Following the recent news of Twitter’s new service called Digits, a feature which will allegedly allow users to sign into apps without having to remember passwords, David Emm, principal security researcher at Kaspersky Lab, decided to weigh in on how this service might affect consumers and security.
“Twitter’s new Digits login service certainly offers a benefit to everyone concerned. Consumers no longer have to worry about creating a login and password combination to set up an account with an app provider, and they don’t need to have an e-mail address. App developers don’t need to develop their own framework for verifying logins, and they won’t lose potential customers that are put off because they don’t have an e-mail address. Also, Twitter gets more visibility into what its customers are interested in.
“However, in my opinion, the new service doesn’t affect security one way or the other. If someone were to lose their device or have it stolen, then the number verification would still work – and anyone with access to the device would be able to access an app in the same way as the legitimate owner.
“I don’t think the new service can be hailed as a significant step in security. Given that the app, phone number and one-time passcode will all be on the same device, there’s no improvement in security. This would only be a step forward if the code was sent to a different device, but of course most people would find this inconvenient – and most people don’t have a second mobile phone. On the other hand, it doesn’t represent a step backwards either. Currently, mobile apps don’t force a login each time the app is run anyway, so if someone steals a phone, and the owner isn’t using a PIN, passcode or fingerprint, the thief has access to everything – e-mail, social networks and apps. In other words, security is dependent on a single point-of-failure – the PIN, passcode or fingerprint used to access the device itself. Digits doesn’t change that.”
David Emm is Principal Security Researcher at Kaspersky, a provider of security and threat management solutions.
David joined Kaspersky in 2004. He is a member of the company's Global Research & Analysis Team (GReAT) and has worked in the anti-malware industry since 1990 in a variety of roles, including that of Senior Technology Consultant at Dr Solomon's Software, and Systems Engineer and Product Manager at McAfee.
In his current role, David regularly delivers presentations on malware and other IT security threats at exhibitions and events, highlighting what organisations and consumers can do to stay safe online. He also provides comment to broadcast and print media on the ever-changing cyber-security and threat landscape. David has a strong interest in malware, ID theft and the human aspects of security, and is a knowledgeable advisor on all aspects of online security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.