Twitter recently announced a Two-Factor Authentication (“TFA”) option for its users. If you enable this on your account, every time you log into Twitter.com you will be asked to enter a six-digit code that Twitter sends to your phone via SMS. This is great for protecting your personal account, but as many bloggers have noted, this is basically unusable for shared company Twitter accounts such as the @AP or @Guardian accounts that have recently been hacked. Here are a handful of articles addressing this shortcoming:
Why Twitter’s two-factor authentication isn’t going to stop media organisations from being hacked” – Sophos’ Naked Security Blog
“Twitter’s Two-Factor Authentication Can’t Stop Account Hijackings” – PCMagazine’s Security Watch
This is a problem for large news & media organizations that have been the center of the recent Twitter hacks. Graham Cluley sums it up nicely in his post on Sophos’ Naked Security Blog:
“Media organisations which share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts. TFA isn’t going to help these companies, because they can’t all access the same phone at the same time.”
How Do News & Media Organizations Currently Manage Shared Accounts?
Large organizations operating shared Twitter accounts have essentially three options.
Option #1: Continue to share the account password with all your employees.
Pros: Conveniently allows employees to Tweet using whichever application they prefer, straight from their phone, Twitter.com, etc. Simplicity of sharing the password increases employee engagement and possibility that employees will actually participate and generate content.
Cons: Terrible for security, can’t use Twitter Two Factor Authentication, hard to manage, and hard to know who is Tweeting what content. Sharing the password with dozen’s of employees is the fundamental cause for many of the recent Twitter account hacks.
Conclusion: For many organizations, the convenience and ease of sharing the password apparently outweighs the lack of oversight and risk. As a result of the recent high profile hacks, this seems to be changing and organizations are now looking for more secure alternatives.
Option #2: Use a third party application such as Hootsuite.
Pros: Good for full-time social media staff, lots of features, most allow you to designate team members.
Cons: Hootsuite and other third party applications don’t provide a Two Factor authentication option. Not as simple as sharing the password. Employees are forced to learn and use a specific application. Feature heavy dashboards are often overkill and can intimidate your employees from actively using on a regular basis. Adding more than a couple team members gets expensive very quickly.
Conclusion: Hootsuite and other full service dashboards are great for full time and experienced social media personnel. However, using these platforms exclusively will undoubtedly limit the number of employees that will actually participate on a regular basis. The fact that many organizations are still getting hacked tells us that many employees would rather share the password and Tweet from the native Twitter apps than have to learn and use a full featured dashboard option.
Option #3: Use GroupTweet and enable Twitter’s Two Factor Authentication even for shared accounts.
Pros: Even easier than sharing the company password. Supports Twitter’s native two factor authentication (read below for more details). Allows employees to Tweet using whichever application they prefer, straight from their phone, Twitter.com, etc. Provides both a simple dashboard and ability for contributors to Tweet directly from their own accounts by including the company hashtag in a Tweet or @mentioning the company account. No need to login to a dashboard or even switch back and forth between multiple accounts. Fully integrates with any other third party application. Have a couple team members using Hootsuite in conjunction with others using GroupTweet.
Cons: If you find any, post them in the comments and we can either fix them or recommend a solution.
Conclusion: GroupTweet provides the best of both worlds. For contributors, its even easier than sharing the password. Additionally, it provides the added security benefits of Twitter’s Two Factor Authentication and account management features of a dashboard offering.
GroupTweet offers the ability to safely and securely add multiple contributors to your Twitter account, but approaches the workflow in a unique way that our users love. News & Media organizations such as ESPN, FoxNews, SkyNews, the New York Post and others are all using GroupTweet every day to help manage their Twitter accounts safely, securely, and conveniently.
So How Does GroupTweet Work with Twitter’s TFA?
GroupTweet allows you to add Twitter’s TFA to your shared company Twitter account and still let multiple people Tweet from that account.
GroupTweet keeps your account secure by allowing multiple contributors to Tweet from your account without needing to know the password of the company account.
Step 1: Enable TFA on your company Twitter account. Instructions can be found on Twitter’s Blog.
Step 2: Activate your company account with GroupTweet.
Step 3: List the contributors that you want to be able to Tweet from your company account.
Simple as that! Now you just need to choose the method in which your contributors/employees will be Tweeting from the company account. There are two GroupTweeting methods:
Method 1: Employees login securely to the GroupTweet dashboard with their own secure login details. Unlike other third-party dashboards, full TFA login is supported for all your employees logging in with their personal Twitter accounts. From the dashboard, contributors can send Tweets from the company account and reply to incoming @mentions.
Method 2: Employees can Tweet directly from their own personal Twitter accounts using whichever Twitter application each of them prefers. There is no need for them to log in to a cumbersome social media dashboard or even log in and out of multiple accounts! They can either send a private Direct Message to the company account, @mention the company account, or include your chosen #hashtag in their Tweets.
As you can see GroupTweet provides the best of both worlds. We provide a dashboard for those interested, however we also allow contributors to Tweet directly from their own Twitter accounts using whichever Twitter application each of them prefers. Use Twitter for Iphone, Android, Tweetdeck, Hootsuite, Twitter.com, whatever each person wants!
If you have multiple employees managing your accounts, and you are wanting to use Twitter’s Two Factor Authentication, then GroupTweet is your best option.
Should All Employees Enable TFA on Their Accounts Too?
Yes, we recommend all your employees enable TFA on their personal accounts. The beauty of GroupTweet is that it works flawlessly when all, some, or none of your employees have TFA enabled. Undoubtedly, some employees will avoid enabling TFA due to the inconvenience, however your account will still be safe with GroupTweet because now you don’t have to share the company password with multiple employees. With GroupTweet, only one or two employees (the one who’s phone is linked to the company account) need to know the password for the company account.
Bonus Tip: You will find you can only connect a phone number to one Twitter account, so if you have multiple Twitter accounts, you can use an app called Heywire. It appears to be the only texting app that receives confirmation codes from Twitter.
Your Employees Will Use GroupTweet in Different Ways
GroupTweet is entirely flexible. We don’t force one method or another on all of your employees. Some employees will prefer logging into the dashboard, whereas others will prefer sending the Tweets straight from their phone, tablet, or Twitter.com.
Sending a Tweet from the company account is as easy as including a Hashtag in their Tweet, or sending a Direct Message or @Mention to the company account.
Lets See Some Examples in Action
Here are some examples of contributors sending a Tweet directly from their own Twitter accounts.
@FoxNewsRadio uses GroupTweet to allow multiple reporters to securely send Tweets from the @FoxNewsRadio account. Here is a Tweet from Mike Majchrowitz:
Pres Obama just signed H.R. 1765, the "Reducing Flight Delays Act of 2013," which give the agency sequester flexibility #fnr
— Mike Majchrowitz (@Majchrowitz) May 1, 2013
FoxNews has configured their GroupTweet so that anytime an approved contributor includes #fnr in a Tweet, that message will then also be Tweeted from @FoxNewsRadio and give attribution to the sender, as you can see below:
Pres Obama just signed H.R. 1765, the "Reducing Flight Delays Act of 2013," which give the agency sequester flexibility (@Majchrowitz)
— FOX News Radio (@foxnewsradio) May 1, 2013
Mike Majchrowitz doesn’t need to login to the @FoxNewsRadio account to send that Tweet. In fact, he doesn’t even know the password for the account, which ensures the security of the account.
Sky News Australia has their GroupTweet configured slightly different. When any of their contributors include @SkyNewsAust in a Tweet, that triggers a GroupTweet from the @SkyNewsAust account.
— Nina Stevens (@NinaBStevens) May 2, 2013
Which results in the following Tweet below:
— Sky News Australia (@SkyNewsAust) May 2, 2013
You can see they’ve chosen to include “via @NinaBStevens” at the beginning of their message. GroupTweet is completely flexible and can be configured in a number of ways.
Don’t Want Contributors Names to Appear on Each GroupTweet?
No problem, you can make each GroupTweet look just like any normal Tweet. There is no need to include the contributor attribution. @ESPNmx has their GroupTweet settings configured to not display the contributor username. @ESPNmx has several employees using the GroupTweet dashboard to send Tweets but they also have a couple employees using the hashtag GroupTweet method as you can see below:
— Eduardo Sánchez Gil (@edsagil) April 16, 2013
Which results in the Tweet below:
— ESPN.com.mx (@ESPNmx) April 16, 2013
Another option is to simply include a contributor’s initials at the end of the Tweet. This configuration is being used by @Fox4KC as you can see below:
Ford adding a 3rd shift to it's F-150 production line as truck sales surged. 900 new jobs for the KC plant! pic.twitter.com/PXjxAEPDA6 ^JP
— FOX 4 News (@fox4kc) May 2, 2013
Let us Help You Keep Your Organization’s Twitter Accounts Safe
If you have any questions at all about how GroupTweet can benefit your organization, don’t hesitate to reach out and ask. We are happy to work with you to develop a plan that will help you get the most out of GroupTweet. You can reach out on Twitter or send me an e-mail.
In the worse case scenario that one of your employees doesn’t enable TFA on their accounts and their account is compromised, it likely won’t have any impact on the company account as their privileges can be quickly revoked until they regain control to their account.