{"id":6432,"date":"2014-10-24T10:00:00","date_gmt":"2014-10-24T14:00:00","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=6432"},"modified":"2014-11-26T11:02:04","modified_gmt":"2014-11-26T16:02:04","slug":"twitter-digits-new-authentication","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/twitter-digits-new-authentication\/6432\/","title":{"rendered":"Twitter’s Foray into Authentication: SMS to Replace Passwords"},"content":{"rendered":"

The microblogging service and social network Twitter is now the latest entrant in the race to replace passwords, with a new system called \u201cDigits\u201d. It\u2019s got a hip name and the idea behind Digits seems very promising. Digits authentication is based entirely on cellular access. Your username is your phone number and a real-time, disposable SMS-generated code is your password.<\/p>\n

The most interesting thing is that it isn\u2019t just for Twitter \u2014 it\u2019s available for any developer that wants Digits authentication in their app. And there is a reason why they will be glad to have it.<\/p>\n

\"twitter\"<\/a><\/p>\n

\u201cPhone numbers are the primary identity for the fastest growing mobile demographics, including emerging markets, which account for over 70% of the world\u2019s mobile population,\u201d Twitter says. \u201cWith Digits, you can build a customized onboarding and sign-in experience for these markets.\u201d
\n\u201cOnboarding\u201d seems to be new-age developer jargon for getting people to sign up for a particular app. As in: getting users onboard.<\/p>\n

#Twitter plans to replace usernames with mobile phone numbers & #passwords w\/ one-time, SMS-generated codes<\/p>Tweet<\/a><\/blockquote>\n

The service seems particularly useful in parts of the world that aren\u2019t beholden to the near-ubiquitous tech-giants. In the United States, for example, countless applications will offer users the capacity to sign up for, and later authenticate themselves into a certain app or service by using their Facebook or Twitter or Gmail account identity as their username along with a specific password. Email accounts are obviously the most popular variation. Just take a moment to think about how many online accounts are tied to your email\u2026<\/p>\n

But once you move a couple of thousand miles from nearest Tesla charging station and your favourite organic food store at the corner, you realise that it isn\u2019t that common there to use email, Facebook, Twitter and so on. There is huge amount of people who don\u2019t have anything from this list. But what they do have is mobile phone number. Because in many places of the world cellular network is the only option for making call or getting Internet access.<\/p>\n

As example of how it works we can look at mobile banking in emerging markets. Africa, particularly the sub-Saharan parts, home to many of the world\u2019s most aggressively emerging markets, rely in part on something of a cashless economy. Payment is dominated by mobile telecoms in Kenya. And people aren\u2019t paying with apps on their smart phones: they\u2019re relying on relatively simple services like M-Pesa, which work on the older variety brick or burner phones. Through M-Pesa, users can transfer money, make payments and even take out withdrawals from local merchants.<\/p>\n

The graphic below comes from the Wall Street Journal and is based on World Bank statistics:<\/p>\n

\"Mobile<\/a><\/p>\n

This illustrates that simple mobile phone based services are growing in the developing world. It\u2019s hard to say if Twitter\u2019s move was based in part on the M-Pesa economy in places like Kenya, Tanzania, India and South Africa, but I think that reality, that cellular access if relatively cheap and available in emerging markets, bodes well for a service like Digits.<\/p>\n

But it isn\u2019t just about emerging markets. The core idea looks interesting for developed countries too. We\u2019re generally skeptical of new ideas to replace passwords, but Digits strikes us as a simple solution to a tough problem, prompting us to wonder why no one has thought of this before?<\/p>\n

\"Twitter<\/a>

And for developers out there, it seems the code required to implement Digits into your app is incredibly simple<\/p><\/div>\n

I\u2019ve written about heartbeat-based, fingerprint-based, iris-based, smell-based, earlobe-based, electromagnetic tattoo- and pill-based, geolocation-based and who knows how many other forms of biometric and wearable authenticators. They we\u2019re all interesting but they all seemed overly complicated.<\/p>\n

\u201cWhen users forget what they used to sign up for your app \u2014 you can lose customers. By using our SMS verification you can minimize both support costs and sign-in failures\u201d \u2013 says Twitter<\/div>\n

Digits is designed to shift the authentication paradigm away from email and toward mobile number. Perhaps more importantly, Digits offers a seamless replacement for static passwords. It also could help resolve the problem of forgotten passwords.<\/p>\n

\u201cWhen users forget which service they used to sign up for your app \u2014 email addresses, usernames, or passwords \u2014 you can lose customers,\u201d Twitter argues in its promotional material. \u201cBy using our SMS verification in lieu of passwords, you can minimize both support costs and sign-in failures \u2014 all while keeping your users happy and your app growing.\u201d<\/p>\n

Of course, it can\u2019t be all good news. Digits isn\u2019t particularly helpful in places without a cellular signal. That\u2019s not such a big deal out in the wild, where you probably don\u2019t have Internet access anyway, but it could spell trouble in your parent\u2019s basement.<\/p>\n

\n
\n

10 tips on how to stop your #iPhone<\/a> from revealing your secrets https:\/\/t.co\/N9gzmq2deP<\/a><\/p>\n

\u2014 Eugene Kaspersky (@e_kaspersky) October 1, 2014<\/a><\/p><\/blockquote>\n