In my previous blog post I reviewed the results of a poll asking journalists if they used two-factor authentication to protect Twitter accounts from being hacked. But the importance of robust security isn't limited to personal Twitter accounts.
After the poll, I spoke with contacts at 31 news outlets around the world--including some of the largest international outlets, prominent news websites, and local newspapers--as well as six human rights and freedom of expression organizations, and a renowned journalism school about their views on social media security and two-factor authentication. [For security reasons, the organizations with whom CPJ spoke are not being named.]
Many of the contacts with whom I spoke said that two-factor authentication had not been enabled because of the difficulties in locking a shared Twitter account to a single phone. This should not be an impediment. A step-by-step guide for setting up two-factor authentication for shared accounts can be found at the end of this blog post.
Out of the 31 media companies, only six said that two-factor authentication is in use to protect the company's official Twitter accounts. One contact--who is based in South Asia--said his company had not previously considered hacking a real risk, but after recent incidents decided to enable two-factor authentication. Contacts at 19 other organizations said either that their companies didn't use two-factor authentication or had never heard of it. Another six were willing to talk in general about security practices, such as selecting strong passwords, but did not discuss specifics of protecting social media accounts. Of the human rights and freedom of expression organizations I talked to, only one said their company uses it. The journalism school did not.
Several of the contacts at U.S.-based news outlets I spoke with said that their company pays for a third party service to protect the official social media accounts. These services offer features such as "locking" a Twitter account if there is suspicious activity. Even if a newsroom decides to use a third party, it should still enable two-factor authentication on the Twitter account and ensure that the third party company it uses offers two-factor authentication capability.
The number of outlets I spoke to may not be enough to be representative, but the answers are useful. I was expecting the results to be similar to the poll, where journalists in North America and Western Europe were more likely to know what two-factor authentication is. Instead, of the six organizations that use two-factor authentication, only one was in the U.S. The rest were in South Asia and the Americas. Contacts at some of these international companies told me they rely on two-factor authentication not only on Twitter, but on every critical service that offers it.
One of the things that struck me was that although news outlets increasingly use social media to share reports or break news, security appears to often be overlooked. Several of the social media editors with whom I spoke said beyond setting a strong password, they had never heard from managers about the need to protect social media accounts. At the U.S.-based company that uses two-factor authentication, it was the social media editor with whom I spoke who had taken the initiative to enable the protection on the official accounts. The editor said management didn't offer security-related recommendations for the accounts. It would appear that social media editors who use two-factor authentication are typically doing so because they personally believe it is important.
The easiest way to enable two-factor authentication on shared accounts is by using the teams feature on TweetDeck and then using the app to manage and run the account. With this process, each team member uses their personal Twitter login to access TweetDeck. This allows multiple users to manage and run a shared account from TweetDeck, eliminating the need for team members to log into the shared account directly. TweetDeck, which is an official Twitter app, can be accessed in a browser at https://tweetdeck.twitter.com, through the Chrome App or as a desktop app. The main account user creates team members by adding Twitter users as contributors or administrators of the shared account.
Other Twitter management apps exist, but be sure to check whether they offer two-factor authentication before using them to manage an official account.
Three steps to Twitter protection for teams
- Use TweetDeck to log into the shared Twitter account. Add the personal Twitter handles of selected team members. (Twitter's product manager Amy Zima goes into greater about the process here.)
- Enable two-factor authentication, also known as "login verification" in the shared Twitter.com account's settings.
- Ensure every TweetDeck team member enables two-factor authentication on their personal accounts via the Twitter.com settings.
Keep in mind
- Enabling two-factor authentication means the shared Twitter account will be linked to one staff member's phone. That employee will be the only person who can access the account via Twitter.com. However, once a shared account is being run on TweetDeck, there is rarely a need to log into Twitter.com.
- Either a cell phone number or a Google Voice number can be used to accept the two-factor authentication codes sent by Twitter. Ensure two-factor authentication is activated on the Google account if using the Google Voice method.
In cases where journalists or outlets are concerned about receiving authentication codes from Twitter via SMS, a Google Voice number is the best option. Because no cellphone carriers are involved in this method, it eliminates the risk of authorities requesting access to phone logs, which could also provide access to the social media account. For more details on cellphone security, see CPJ's Journalist Security Guide
- Remember, everyone will log into TweetDeck using their personal Twitter account. Each team member has delegated access to the shared account, allowing users to tweet from both their personal and the shared account.
- After enabling two-factor authentication on Twitter.com, the main account holder should generate a backup code. That code is the only way to get into the Twitter account if the phone is lost or stolen. Also remember that as long as two-factor authentication is turned on, you must have access to that phone number or, if using Google Voice, the number must remain active. If the primary account user's number changes, the settings in the shared Twitter account must be updated before access to the original number is lost. If you don't have access to the phone or Google Voice account and forgot to generate a backup code, even a password reset won't help you get back in.
[EDITOR'S NOTE: This blog post has been updated to include details on using Google Voice to set up two-factor authentication.]