Twitter today rolled out two-factor authentication using SMS as secondary identity verification device in reaction to attacks on its users' accounts, a move which has already attracted a potential lawsuit.
Several high-profile media Twitter accounts have recently been compromised, prompting the increase in security.
But the social network has incurred the wrath of New Zealand-based internet entrepreneur Kim Dotcom, who has laid claim to being the inventor of two-factor authentication.
Dotcom yesterday said on Twitter the likes of Google, Facebook and Twitter offering two-step authentication was a "massive IP infringenement" on what he claimed were his innovation and patent.
Big reveal: 1 billion+ Two-Step-Authentications on the Internet weekly. I invented it. Here's proof: google.com/patents/US6078…
— Kim Dotcom (@KimDotcom) May 22, 2013
Dotcom's patent is assigned to him under his previous name, Kim Schmitz. It is filed in the United States and the European Union, and covers a "method for authorising in data data transmission and communications systems".
The patent, US6078908, was filed in April 1998 and published in June 2000.
Dotcom is now threatening to sue unnamed United States companies for infringing on his patent, in response to his prosecution for alleged copyright crimes.
I never sued them. I believe in sharing knowledge & ideas for the good of society. But I might sue them now cause of what the U.S. did to me— Kim Dotcom (@KimDotcom) May 22, 2013
The internet file-sharing tycoon said he wouldn't sue Google, Facebook and Twitter if they helped to fund his legal defence against US allegations of copyright infringement.
Dotcom estimated the case would cost US$50 million or more to pursue. His own assets and that of his file-sharing company Megaupload have been frozen by the US government.
Despite the land grab, security experts said two-factor authentication had its limitations.
"Mobile SMS authentication is busted ... two-factor authentication as a concept has been busted," digital identity expert Stephen Wilson said.
"The test has always been that you need a second physical factor that’s out of band, a second channel."
During the AusCERT information security conference being held in Queensland this week, two presenters showed how it was possible to use NFC or RFID stickers to compromise mobile phones.
"If you can do that I don’t see why you couldn’t command a phone to pop up a message that would at least look like an SMS so then you can mount a man-in-the-middle attack on any SMS 2FA."
Wilson said despite the Comms Alliance deprecating SMS authentication, it was a better solution than nothing.
"Even though these things are flawed theyre certainly better than nothing."