Twitter’s
sudden
decision
to
disable
SMS-based
two-factor
authentication
(2FA)
for
all
users
except
subscribers
of
its
paid
Twitter
Blue
service
has
infuriated
security
experts
and
further
tarnished
the
social
media
giant’s
already
somewhat
dubious
reputation
for
protecting
users
of
its
services.
Twitter,
on
Feb.
15,
announced
that
in
30
days
it
would
disable
text-message
based
—
or
SMS-based
—
2FA
for
all
but
paying
Twitter
Blue
subscribers.
“After
20
March
2023,
we
will
no
longer
permit
non-Twitter
Blue
subscribers
to
use
text
messages
as
a
2FA
method,”
the
company
said.
“At
that
time,
accounts
with
text
message
2FA
still
enabled
will
have
it
disabled.”
Several
analysts
view
the
move
as
ill-conceived
and
weakening
protections
for
the
millions
of
users
that
currently
use
the
two-factor
option
when
accessing
their
Twitter
accounts.
Even
those
who
agree
with
Twitter’s
view
about
text
message-based
authentication
mechanisms
being
somewhat
susceptible
to
attack
still
perceive
it
as
offering
magnitudes
more
protection
than
not
having
a
second
factor
at
all.
Twitter’s
Ill-Conceived
Move
“The
optics
are
certainly
bad,”
says
Richard
Stiennon,
chief
research
analyst
at
IT-Harvest.
“This
move
seems
to
put
a
price
on
better
security
for
Twitter
which
is
the
poster
child
for
account
takeover
attacks
dating
back
to
2008
when
a
script
kiddie
in
California
ran
John
the
Ripper
against
celebrity
accounts
to
guess
their
passwords.”
The
company
urged
users
that
still
want
to
enable
2FA
for
their
Twitter
accounts
to
consider
using
an
authentication
app
or
security
key/token
as
their
second
factor.
Authentication
apps
are
mobile
apps
that
generate
a
one-time
password
or
key
that
users
can
use
in
addition
to
their
password
when
accessing
an
account
on
which
they
have
enabled
two-factor
authentication.
Examples
include
Google
Authenticator,
Microsoft
Authenticator,
and
LastPass
Authenticator.
Security
keys
are
usually
a
physical
device
—
like
a
USB
dongle
—
that
users
can
use
to
verify
their
identity
when
logging
in
to
an
account.
“These
methods
require
you
to
have
physical
possession
of
the
authentication
method
and
are
a
great
way
to
ensure
your
account
is
secure,”
Twitter
said.
“Using
an
authenticator
app
is
better
[than
text-based
2FA],”
Steinnon
notes, “but
there
will
never
be
a
large
number
of
users
unless
Twitter
makes
such
an
app
a
requirement
and
makes
it
available
for
free.”
Raising
Questions
About
Text-Based
2FA
The
social
media
company’s
brief
statement
announcing
its
decision
to
stop
SMS
authentication
alluded
to
concerns
over
the
security
of
the
process
as
the
main
motivation:
“While
historically
a
popular
form
of
2FA,
unfortunately
we
have
seen
phone-number
based
2FA
be
used
—
and
abused
—
by
bad
actors.”
The
widespread
use
of
mobile
devices
for
SMS-based
2FA
authentication,
for
instance,
has
driven
an
increase
in
so
called
SIM-swapping
attacks,
where
a
threat
actor
transfers
another
individual’s
phone
number
to
their
SIM
card
so
they
can
intercept
the
SMS
authentication
messages
used
for
2FA.
Concerns
over
weaknesses
in
mobile
networks
allowing
attackers
to
intercept
SMS
messages
and
use
it
to
break
into
2FA
protected
accounts
have
persisted
for
years,
as
have
calls
to
replace
it
with
stronger
token
and
app
based
token
generators.
Nonetheless,
Stiennon
and
others
dismiss
that
explanation
as
not
being
enough
reason
to
disable
the
option
for
anyone
that
wants
to
use
it.
“For
highly
targeted
attacks,
it
is
true
that
SMS
can
be
intercepted
by
determined
attackers,”
he
says,
noting
that
such
attacks
are
rare.
An
Attempt
to
Raise
Revenue?
John
Pescatore,
director
of
emerging
security
trends
at
the
SANS
Institute,
says
Twitter’s
move
is
somewhat
akin
to
a
bank
insisting
that
users
of
a
free
checking
account
only
enter
their
PIN
—
and
not
their
ATM
card
as
well
—
to
use
an
ATM
machine.
“While
SMS
messaging
as
2FA
is
less
secure
than
tokens,
trusted
apps,
or
other
phishing-resistant
forms,
it
is
still
so
much
more
secure
than
reusable
passwords,”
he
says.
“The
only
justification
for
what
they
are
doing
is
an
attempt
to
raise
revenue,”
Pesactore
tells
Dark
Reading.
Otherwise,
why
would
they
allow
a
supposedly
less
secure
authentication
only
be
available
to
their
paid
subscribers,
he
points
out.
A
transparency
report
that
Twitter
released
in
December
2021
showed
at
that
time
that
some
2.4%
of
active
Twitter
accounts
had
enabled
2FA.
Of
that,
74.4%
used
SMS
authentication,
28.9%
used
an
authentication
app,
and
0.5%
had
a
security
key.
Based
on
those
numbers
(the
most
recent),
only
a
relatively
small
proportion
of
Twitter’s
active
accounts
would
appear
directly
impacted
by
Twitter’s
recent
decision
—
though,
of
course,
adoption
could
have
increased
since
2021.
Still,
some
see
it
as
another
indication
of
what
they
perceive
as
Twitter’s
cavalier
attitude
toward
user
security. Earlier
this
year,
after
all,
an
apparent
API
endpoint
compromise
at
Twitter
allowed
an
attacker
to
steal
data
on
some
200
million
Twitter
users
and
put
it
up
for
sale
on
an
underground
forum.
“Twitter
has
a
consistently
poor
record
around
security,”
Pescatore
notes.
Last
year,
for
instance,
the
Federal
Trade
Commission
assessed
a
$150
million
civil
penalty
over
the
company
not
taking
steps
required
of
them
to
fix
problems
that
caused
privacy
violations
dating
back
years,
he
says.
Those
violations
had
to
do
with
Twitter
using
phone
numbers
and
email
addresses
that
it
collects
for
2FA
to
deliver
targeted
advertising
instead.
“Under
new
ownership,
this
year
they
first
tried
to
increase
revenue
by
giving
verified
identity
status
to
anyone
willing
to
pay
$8,”
Pescatore
adds.
Coming
Under
the
Microscope
As
if
the
company’s
security
challenges
were
not
bad
enough,
Elon
Musk’s
controversial
leadership
of
Twitter
has
also
put
the
company’s
every
move
under
the
microscope.
“As
with
anything
to
do
with
Twitter
nowadays,
the
broader
context
for
their
decisions
invites
a
lot
of
controversy
from
all
over
the
political
spectrum,”
says
Fernando
Montenegro,
an
analyst
with
Omdia.
With
the
latest
move,
there’s
a
general
understanding
that
SMS
2FA
is
less
resistant
to
some
attacks
than
the
authenticator
apps
or
security
keys.
So
getting
users
to
move
towards
“better”
MFA
is
a
good
thing
for
potentially
improving
resilience
against
these
attacks,
he
adds.
“It’s
also
a
decision
that
saves
Twitter
money,
as
they
will
no
longer
be
sending
MFA
SMS
messages
to
accounts
that
are
not
subscribers,”
Montenegro
says.
The
key
question
here
is
whether
people
use
SMS
because
it’s
easier
to
set
it
up
or
just
because
they
don’t
know
about
alternatives,
he
points
out.
“If
the
former,
and
Twitter
doesn’t
make
the
process
easier,
then
security
is
likely
to
suffer.
If
the
latter,
then
their
decision
can
actually
result
in
more
people
knowing
about
other
options
for
MFA
and
turning
those
on.”
About Author
