Twitter Is Correct To Move Away From SMS Two Factor Authentication, Though, There Are Much Better Ways To Do It
from the good-idea,-bad-reasons,-bad-rollout dept
A lot of people freaked out on Friday after the news came out that Twitter was going to make SMS two-factor authentication (2FA) only available to paid Twitter Blue subscribers. The news was first broken, like so much Twitter news these days, by Platformer reporter Zoe Schiffer.
It’s understandable that people were up in arms over this, as one read of this is that it meant that keeping your account secure was a luxury item that you had to pay extra for. But, the details matter here, and I actually think many people are overreacting to this. There are actually fundamentally good reasons to move away from SMS-based 2FA: mainly in that it’s woefully insecure, and runs the risk of making people think they’re way more secure than they are. If you follow cybersecurity news, there are tons of articles talking about why SMS 2FA is not a good idea and you should ditch it if you can. Some have argued it’s actually worse than just having a good password, though I think that very much depends on your threat model, and for most users it’s not true (i.e., it is probably true for targeted individuals, and probably not true if there’s more of a brute force hacking effort). Years back, Microsoft actually told everyone to move away from SMS-based 2FA. Google started transitioning people off of SMS-based 2FA all the way back in 2017, which was slightly after NIST deprecated it from its recommended multi-factor authentication list. But, at least there was a clear transition plan.
Soon after Schiffer’s tweet, Twitter released a blog post explaining the decision (though, bizarrely, despite coming out on Friday afternoon, the blog post was backdated to Wednesday?!?):
While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.
Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another. After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled. Disabling text message 2FA does not automatically disassociate your phone number from your Twitter account. If you would like to do so, instructions to update your account phone number are available on our Help Center.
We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead. These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure.
It also helps to understand a bit of the background here. First, Twitter was (like in so many other areas) somewhat late to the 2FA game. When it added SMS-based 2FA in 2013, there were headlines about how it had “finally” done so. And, it was only in 2019 that the company let you turn on non-SMS 2FA without a phone number, again leading to headlines that included the word “finally.” And, the lack of security with SMS 2FA was pretty damn clear when someone hacked Jack Dorsey‘s own Twitter account using SIM swapping, the easiest way to get around SMS 2FA.
On top of that, I’ve spoken with former Twitter employees who say that the blog post above is not wrong when it says that SMS 2FA is often abused by bad actors in a manner that generates a ton of SMS messages, and is actually extremely costly for Twitter. Even if Elon is no longer paying any of Twitter’s bills, there may be legitimate business reasons for ending support for SMS 2FA (also if, hypothetically, Musk had stopped paying the bills for their SMS 2FA provider, it’s possible that vendor was threatening to cut Twitter off entirely, which might also explain the short timeline here).
So, I think that many of the headlines and tweets decrying this as being about making security a “luxury,” for only paying subscribers is not fair and not accurate. There are lots of things (obviously) that I criticize Musk about, but I think there are perfectly legitimate reasons to end support for SMS 2FA, and at least some of the freakout people had was an overreaction.
That said… I do still have many concerns with how this was rolled out, and it wouldn’t surprise me if the FTC has some concerns as well. While it’s a bit out of date, Twitter’s last transparency report on security (covering the second half of 2021) shows that only 2.6% of Twitter users even have 2FA-enabled, which is really not great. And of those that have it enabled, nearly 75% are using SMS based authentication:
So, there’s a legitimate fear that in simply killing off SMS 2FA and not providing a very clear and very straightforward transition to an authenticator app (or security key) the percentage of people using any 2FA at all may go down quite a bit, potentially putting more people at risk. If Twitter and Elon Musk weren’t just cost cutting and were actually looking to make Twitter more secure for its users, they would create a plan that did a lot more to transition users over to an authenticator app.
I mean, the fact that they’re still leaving SMS 2FA for Twitter Blue subscribers pretty much gives away the game that this is solely about cost-cutting and not about transitioning users to better security. Indeed, it seemed like after spending a day talking about the expenses, it was only then that Musk realized that SMS 2FA also wasn’t good for security and started making those claims as well (a day late to be convincing that this has anything to do with the decision).
All that said, I am wondering if this might trigger yet another FTC investigation. The last consent decree with the FTC (remember, this was less than a year ago) was mostly about SMS 2FA, and how Twitter had abused the phone numbers it had on file, provided for 2FA, as a tool for marketing. That’s obnoxious and wrong and the FTC was correct to slam Twitter for it. Part of the consent decree was that Twitter had to provide 2FA options “that don’t require people to provide a phone number” (such as an authenticator app or security key, which the company does). But, also, it says that “Twitter must implement an enhanced privacy program and a beefed-up information security program.”
The details of that program include regular security assessments any time that the company “modifies” security practices. I’m curious if Twitter did such an assessment before making this change? The requirements of the program also include things like the following:
Identify and describe any changes in how privacy and security-related options will be presented to Users, and describe the means and results of any testing Respondent performed in considering such changes, including but not limited to A/B testing, engagement optimization, or other testing to evaluate a User’s movement through a privacy or security-related pathway;
Include any other safeguards or other procedures that would mitigate the identified risks to the privacy, security, confidentiality, and integrity of Covered Information that were not implemented, and each reason that such alternatives were not implemented; and
Was any of that done? Or was it just Musk getting upset after seeing a bill for SMS messaging and declaring that they were cutting of SMS 2FA? We may find out eventually…
In the end, I do think Twitter is right to move away from SMS 2FA (and, as users, you should do so yourself wherever you use it). Multi-factor authentication is a very important security practice, and one that more people should use, but the SMS variety is not nearly as safe as other methods. But there is little indication here that Musk is doing it for any reason other than to cut costs, and the haphazard way in which this has been rolled out suggests that it may increase security risks for a noticeable percentage of Twitter users.
Filed Under: 2fa, cost cutting, elon musk, multi factor authentication, security, sms, twitter blue, two factor authentication
Companies: twitter
Comments on “Twitter Is Correct To Move Away From SMS Two Factor Authentication, Though, There Are Much Better Ways To Do It”
This comment has been flagged by the community. Click here to show it.
“It’s the right thing to do but let’s criticize anyway.”
We know that you adored the viewpoint-based censorship that the old management of Twitter provided and despise the fact that it has gone away under the new management, but posting endless articles disparaging Musk isn’t going to bring it back.
This comment has been flagged by the community. Click here to show it.
Re:
The entire first half of this article is dedicated to defending Twitter for a decision others have rushed to criticize.
Re: Re:
Somehow I highly doubt this is the real Matty “The Cry Baby” Bennett.
This comment has been flagged by the community. Click here to show it.
Re: Re: Re:
Not sure where you’re getting “cry basby” from, but funnily enough that wasn’t me.
I love that people are impersonating me, and then being so even tempered and non-trolly about it. The impersonator isn’t even wrong. fascinating.
Re: Re: Re:2
We’re getting it from how you whine about Mike covering Elon Musk every time a story about Musk pops up on BestNetTech. I mean, for fuck’s sake, you’ve demanded he stop writing about Musk ever since Musk took over Twitter, and you’re calling Mike deranged?
This comment has been flagged by the community. Click here to show it.
Re: Re: Re:3
It’s called “ranting” numb nuts.
Re: Re: Re:4
And it’s called “Fuck your feelings”.
Re: Re: Re:2
Mike, please stop writing articles about my idol Musk… it hurts my feelz. And it hurts Elmo’s feelz too… So just stop it now!!
You can’t even go one day without writing about Elmo.. STOP… please, I am begging you on my knees to stop hurting my feelz!!
Does that sound about right there Matty “The Cry Baby”?
This comment has been flagged by the community. Click here to show it.
Re: Re: Re:2
Fool! I am the REAL Matthew Bennett! Mike, ban this guy for impersonation!
Re: Re: Re:3
Why do you assume somebody using the same name as you is an imposter? That might be their name, as names are rarely unique.
Re:
That alone is reason enough to be critical of this change.
Musk did something good in getting rid of SMS 2FA, but the way in which he did it could have been much better.
BTW, if this was any other person than Elmo, would you still be in here defending him as if you are going to be his knight in shining armor?
Re: Re:
As long as the CEO is a Republican.
Musk just happens to the a rich, famous one with enough good rep to burn. And he’s burning all that goodwill faster than a speeding whatever.
Re: Re: Re:
…he’s burning all his money.
Re: Re: Re:2
Indeed, and so Elon Musk will soon be competing With Jeff Bezos for third place in the rich list.
Re: Re: Re:2
I’ve never seen an emerald mine burn but hey, if anyone can get an emerald mine to burn, it’s probably Elon Musk.
Re: Re: Re:3
Or Scrooge McDuck, if the DuckTales video game has taught me anything…
Re:
Surely paying for shitty security (which is what SMS 2FA is) is a good business move, Hyman.
(It’s not)
Re: Re:
It might avoid being a completely negative move, in the sense that most people would choose to use another, more secure, 2FA method that they’ve thus far avoided. I’ll even admit I was one of them, since (IIRC) SMS was the only option when 2FA was introduced and I use it so rarely and have so little personal info there that I didn’t really care until this came up.
Unfortunately, unless I missed a recent change, 2FA is not mandated so many users will choose to not have 2FA at all rather than install an app. Which, obviously, is really bad.
Mike, I think there’s a concern you’re missing here, and that’s that some people, especially lower-income people, don’t have smartphones. SMS 2FA isn’t great but it’s better than nothing, and that’s the choice for these folks: not SMS or an app, not SMS or a dongle, but SMS or nothing.
This comment has been flagged by the community. Click here to show it.
Re:
They got Obama phones.
This comment has been flagged by the community. Click here to show it.
Re:
Seriously tho, they have Obama phones.
This is kinda like pretending that minorities can’t get ID’s for voting. It’s weirdly low-key racist and also just isn’t a thing.
This comment has been flagged by the community. Click here to show it.
Re:
….like what, you think “low income” (you can just say “poor”) people are tweeting from a desktop?
You should feel dumb for saying that.
Re:
I wonder what percent of Twitter users don’t have smartphones. It doesn’t matter if some people don’t have smartphones unless the same people are also using Twitter.
Re:
Point of order, Thad:
You are talking about getting SMS on a “feature phone”, then?
Re:
While true, I’m not sure that’s a valid excuse. You can get an Android phone for $30 or less, and even if you’re poor it costs way more than that to deal with identity theft. The problem here is that “nothing” is an option.
Re:
Not sure I see that as a legitimate concern. They’re already accessing Twitter somehow, no? If so they can also access an authenticator app.
Yes, there’s a concern that people will not switch. But they idea that they CAN’T just doesn’t seem realistic to me.
Re: Re:
Well, if you’re willing to accept a web-based “authenticator app”, anyway. Some phones have web browsers (presumably usable for “Twitter Lite”) but no third-party apps. Obsolete phones, for example, and even if they can’t connect to cell networks anymore, people might be using them on wi-fi.
Re: Re: Re:
Okay, um, and what percentage of Twitter users who are using 2FA do you think fall into the camp of people who only have such obsolete phones?
I suspect there aren’t more than 2.6% of users doing anything particularly important on Twitter. How much security does one need simply to follow a few celebrities and maybe bitch at a business to get some problem resolved? If someone gets into the account, change the password if still possible, or create a new account.
For that matter, I wonder what percentage of Twitter users have accounts at all. And how many of those actually wanted accounts, and weren’t simply pushed into creating them by Twitter’s anti-consumer behavior (in which case they almost certainly don’t care about the security).
Re:
How important a Twitter account is (not necessarily the same as how important Twitter is) isn’t for you to decide. It’s for Twitter users to decide. Those who have Twitter as their only/primary form social media probably see their account as important. And regardless, people who use Twitter to connect with real-life friends may well share personal things on Twitter. Some posts, images, and videos aren’t for all eyes.
Without 2FA, you won’t have a password to change. The attacker will change the passwors and log out other open sessions. You can make a new account, but the attacker will impersonate you. And if you’ve been on Twitter for a long time, the attacker might publish embarrassing content from your younger days or details which could identify you or your friends.
Re: Re:
Right. That was kind of my point. Mike’s declaring that 2.6% is not great, and my hypothesis it that it might be okay. It’s not like Twitter would tell us if 97.4% of their users weren’t very engaged, right? Absent any other data, the best way to guess is to assume that Twitter users have already decided, and 2.6% of them consider their accounts important.
Of course, it’s possible that there’s a group of people wishing they could enable 2FA, but maybe can’t figure it out, aren’t willing to give Twitter a phone number, or whatever. Is there any hint that this is a group of significant size? PaulT says Twitter used to require phone numbers anyway, which if still true rules out that potential cause.
Maybe. Spammers are probably just gonna use the accounts till they’re detected, and immediately changing the password might make them more obvious. That’s even more true for someone who wants to secretly spy on an account for whatever reason.
Re:
Twitter used to require your phone number (ot sure if they still do), and they are known to have had their user database hacked. So, even if they don’t use it for anything important, there’s still a risk. To everyone else as well – even if you personally use it for trivial stuff, the danger is that other users could be scammed if your account is hacked.
“I wonder what percentage of Twitter users have accounts at all”
You need an account to interact with anything.
Re: Re:
You can read tweets without an account.
SMS is not 2FA.
It is 2SV – 2 Step Verification.
Re:
Yes it is.
Convenience
The Twitter Blue subscribers can pay for the convenience of SMS, which means they are paying the Twilio bill.
'Now part of our paid package: A known vector for bad actors!'
While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.
… come again?
‘We acknowledge that this method is routinely abused and open to bad actors which is why we’re phasing it out for anyone who isn’t paying us for extra ‘security’ of their accounts.’
Re:
Thereby supporting Mike’s hypothesis that “it just Musk getting upset after seeing a bill for SMS messaging”. But come on, do you really expect a corporate spokesperson to simply say “this was expensive, so we’re turning it off unless you pay”? Putting positive spins on bad news is basically their job, and they love to say things are “for your protection” (nevermind about the blue-check thing!).
Re: Re:
Oh I’ve no doubt it’s just the latest desperate cash-grab but the messaging could really have used some work, first presenting it as an exploitable hole and then in the next breath saying they’ll start charging for it.
Re: Re: Re:
When writing copy, I’ve sometimes thrown up my hands at getting a reasonable explanation. That’s in the field of technical writing, and if you see something that seems very carefully worded to avoid mentioning one specific thing, that might be what happened. So it’s entirely possible whoever wrote this also asked “…then why allow it for paying customers?” and never got a good answer. Hell, maybe they intentionally worded it to highlight a CEO decision they disagreed with, while maintaining plausible deniability.
There’s also the nightmare of rebuilding Google Auth if your phone bricks.
Re:
I can check that box too.
Re: a use for old phones
I feel you. I keep an old phone around (and you can get one for super cheap, if you like), disconnected from the internet, just as an authenticator backup.
Re:
Wikipedia says it’s TOTP-based, so what’s the problem? Take a picture of the QR code when you enable the 2-factor-authentication, print it out, and put it somewhere safe. That’s assuming Google’s program doesn’t have a proper backup feature, which would be dumb on their part (considering how easy it is to embed public-key crypto into a program).
Re: Make backups to avoid the nightmare
Use cloud backups or make manual backups if Google Authenticator allows it. If not then switch to a libre 2FA app which supports backups. I’m currently using Aegis Authenticator on Android, and I can export a backup which I can then manually transfer to a different device.
Re:
It’s really not hard at all if you took care to take backups/store the backup codes. There’s also other apps available if you dislike the way that one works.
This comment has been flagged by the community. Click here to show it.
twitter doesn't need 2FA
It’s a platform for bitching about politics and spreading memes. It doesn’t hold bank account information.
Seriously, stop pretending this is all serious just so you have something to bitch about.
Also, paid subscribers really does help for verification, because at least then you have their billing info.
Re:
But it does hold credit card information for those who subscribe to Twitter Blue.
This comment has been flagged by the community. Click here to show it.
Re: Re:
I have no idea about their security arrangements but it is very common to not store such info directly or have it encrypted. If if not not at all the same as being a bank account.
And besides, if they were paying for it, they could have 2FA, yeah? This is gossipy nag in search of an actual problem.
Re: Re: Re:
“it is very common to not store such info directly or have it encrypted”
It’s very common to do things very differently to most of the things Musk is doing, hence the constant comments about him doing them differently.
“And besides, if they were paying for it, they could have 2FA, yeah? ”
It’s also possible not to have it. It’s also clear that it’s the least secure version of 2FA.
“This is gossipy nag in search of an actual problem.”
You’re free to go elsewhere any time you like. Or present actual objections to the issues raised, rather than things that are easily and immediately debunked.
Re:
“It’s a platform for bitching about politics and spreading memes”
No, it’s not. That might be how you personally choose to use it, but it has other uses.
“Seriously, stop pretending this is all serious just so you have something to bitch about.”
Compared to bitching every time an article critical of Musk is published, it’s of way more import if user accounts are used for fraud.
“Also, paid subscribers really does help for verification, because at least then you have their billing info.”
…and if you trust that site with such things, you’re even dumber than you represent yourself here.
This comment has been flagged by the community. Click here to show it.
Re: Re:
….you’re full of shit, dude. I’m glad no one takes yous seriously.
Re: Re: Re:
You’re entitled to your own opinion, but not your own facts. Not my fault if you regularly confuse the two.
Re:
…said nobody mentally competent, ever.
“The last consent decree with the FTC (remember, this was less than a year ago) was mostly about SMS 2FA, and how Twitter had abused the phone numbers it had on file, provided for 2FA, as a tool for marketing.”
Obviously the answer is write bills mandating the collection of more data about users instead of mandating separate “limited” OS versions for minors.
The capper to all of this is that Twitter’s message is that, instead of turning off SMS 2FA, if you don’t turn it off yourself they’re gonna turn off your account, which is just about the stupidest way to do this I can imagine.
Re:
The real kicker: even the turning off process sometimes doesn’t work.
Thanks Elon.
It sounds like this isn’t really two-factor authentication. It’s half-factor authentication. You can get into the account if you know (or can guess) the password or have (or can fake) the phone. Which is great for people who lock themselves out of their account, but not great for actual increased security.
Nice post and thanx for providing the best website for Bookmarking.
https://www.alawncare.net/
Hello,
Thanks for sharing social bookmarking sites. Its helps to fetch traffic to my website.
Thanks for the same.
http://apmcommercialpaving.com/
Thank you for sharing your thoughts on this topic. I completely agree with your perspective and think that it is important to consider all sides of an issue before coming to a conclusion. Your insight and analysis really helped me to better understand the situation and I appreciate your well-written and thought-provoking comment. Keep up the great work!
https://www.johnniescarwashonoak.com/carwash.html
Great Image! thank you, for everything… Keep coming out with new ideas! We do appreciate everything you do for us… Thank you so much.
https://www.johnniescarwashonoak.com/