Login Verification On Twitter For iPhone And Android
Article Summary
Twitter built a 2FA system where your private keys never leave your phone and the server stores no persistent secrets. Here's the engineering behind it:
Back in 2013, Twitter's engineering team tackled a fundamental challenge: making two-factor authentication both more secure AND easier to use. This deep dive reveals the cryptographic architecture behind their mobile-first login verification system.
Key Takeaways
- 2048-bit RSA keypair generated on device, private key never transmitted to servers
- S/KEY-inspired backup codes use 10,000 SHA256 hashes for offline recovery
- Push notification approval replaces SMS codes, eliminating compromised delivery channels
- 190-bit random nonces create challenge-response flow without shared secrets
Critical Insight
Twitter proved you can build 2FA that's resilient to server compromise while being simpler than typing SMS codes.
