Skip navigation

HootSuite and Buffer: Social Media Giants Enable Two-Factor

Following the compromise of the AP's Twitter account that led to a 128-point dip in the Dow Jones industrial average, social media reached a new level of seriousness. As with any technology, the criticality of information being exchanged dictates the level of security controls required to adequately protect the flow of data. With this compromise and others (ranging from Burger King to Jeep) a lot of pressure was put on not only Twitter to add stronger authentication to their service but also the services that many organizations use to manage social media networks, such as HootSuite and Buffer.

Soon after the AP compromise, Twitter added SMS-based two-factor authentication to help address the tremendous threats facing their customers. While this solved an overall lack of strong authentication, it frustrated many organizations due to the need to tie authentication to a single cell phone number. Especially in large organizations, the sharing of credentials for social media accounts is common and by allowing a single phone number access to complete the second factor of authentication, the exact people who need strong authentication were left in a tough place.

Despite the need for multi-user authentication supporting strong authentication, HootSuite and Buffer were both absent with a solution to this problem for their own services. Luckily, in just the past few weeks both services have started to roll-out their own two-factor authentication solutions for customers to benefit from.

HootSuite

HootSuite has been extremely quiet about the launch of their two-factor authentication solution. While documentation to enable two-factor authentication for HootSuite exists, there is very little press or otherwise to note it became a feature. They currently let users perform two-factor authentication through the usage of time-base one time passwords (TOTP) which is an open-standard that many other online services (such as Facebook and Amazon Web Services) leverage. If a HootSuite user views their Settings page, they will note that under Account->Security the ability to enable what HootSuite calls "2-Step Verification". We'll see if the lack of announcement about this feature is due to a slow rollout process or otherwise in the coming months likely.

Buffer

Unlike HootSuite, the folks over at Buffer have been very forward with their addition of two-factor authentication for their user base to benefit from. With what they are titling, "2 Step Login", Buffer posted a blog detailing their strong authentication solution for customers. Just like HootSuite, Buffer has chosen to utilize TOTP for customers to handle their two-factor needs. Users can find the capability under My Account->Access & Password to click Enable 2-Step Login to begin the setup process.

Using HootSuite and Buffer two-factor authentication

Due to their usage of TOTP (RFC 6238) both HootSuite and Buffer are compatible with Duo Security's "Duo Mobile" app. Simply visit the relevant documentation we linked to above and when prompted to scan the QR code shown by your service's setup, scan the image with Duo Mobile to complete the process.

The future for social media two-factor authentication

We've already seen Twitter roll-out an updated version of their two-factor authentication platform that supports a "push" method and public-key cryptography. This is a great step for usability but customers still aren't as flexible as they may wish for shared accounts. Ideally, Twitter and other social media networks will continue to add functionality that enables flexible authentication for multiple users and then apply strong authentication to those features.

In the meantime, HootSuite and Buffer have certainly made a strong case for using their services and keeping your actual Twitter credentials strong and hidden. Still, both services (and the social networks themselves) will still need to focus on making the end-user experience enjoyable enough that wide adoption occurs. With the increasing popularity of social media, it won't be a shock to see more emphasis continually put on the security of these accounts, lest we see further national panic over a single tweet.

Mark Stanislav

Security Evangelist

@markstanislav

Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken internationally at over 75 events including including RSA, DEF CON, ShmooCon, SOURCE Boston, and THOTCON. He earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University.