"However, although considered strong, two-factor authentication alone is not really adequate as cybercriminals using financial malware have already found ways to circumvent it using Man-in-the-Browser attacks," he said.
Standing back, Twitter's two-factor SMS roll-out could just be the start, a necessary short-term fix to a growing problem in advance of the firm's likely IPO. Other layers might be needed.
"Twitter should also strongly consider enabling options other than SMS and even consider allowing enterprises to enable location and or IP based log-in options," suggested Amar Singh, CISO for News International and chair of the ISACA security group.
"These are good baby steps," said Singh.
Sign up for CIO Asia eNewsletters.