Many Twitter users are getting messages that SMS-based two-factor authentication (2FA) will be removed next month.
According to Twitter, only subscribers to the premium Twitter Blue service will be able to use text message-based 2FA to secure their accounts.
Frankly, there is a lot to unpack here.
First, let me explain why 2FA is good for account security.
2FA adds an extra step during the login process to services like Twitter. Sites protected by 2FA require not only a username and password, but also his 6-digit verification code, which changes every 30 seconds.
So even if a hacker finds your password, they don’t know your 2FA code. This is because the code is sent via his SMS, generated by an app on his phone, or in some cases with a hardware key.
sign up for newsletterSecurity news, advice and tips.
There are still ways to circumvent 2FA security, but they require more effort when trying to break into your account. Also, most attackers may find easier targets without extra effort.
One of the problems with SMS-based 2FA (tokens sent via text message) is that in the past, scammers have launched so-called “SIM swap” attacks.
A SIM swap attack is when a scammer tricks a mobile phone provider’s customer service staff into giving them control over someone else’s phone number. In some cases, scammers do this by giving the company personal information about the target and tricking them into believing they are someone they are not. Then, when her online account, such as Twitter, sends that authentication token via her SMS to the user’s phone number, it finally falls into the hands of criminals.
Victims of past SIM swap attacks include former Twitter boss Jack Dorsey, whose Twitter account was hijacked in 2019.
This is why organizations like the National Institute of Standards and Technology (NIST) stopped recommending SMS-based 2FA a few years ago, and why it remains my least favorite form of 2FA.
But I would argue that SMS-based 2FA is better than no 2FA at all.
Also, my concern about Twitter’s decision to remove two-factor authentication for text messages is that it leaves many users less protected than before. Because many simply follow Twitter’s advice to turn it off and not switch to another form of his 2FA.
Twitter’s motive is not to improve the security of its user base. This is done by Twitter with a desperate motive to save money, not to improve user security.
If you think it will sell more Twitter Blue subscriptions, I’m optimistic. I fear that SMS-based he positions 2FA as only available to those who are prepared to pay a monthly fee for Twitter. They may actually be sending a false message that his 2FA via text his message is actually he is the most secure version of 2FA.
It certainly isn’t.
Addendum
Under Elon Musk’s new rules (and amid massive layoffs within its engineering department), Twitter seems predictably in turmoil.
Users have reported receiving the following message when attempting to disable the requested text message 2FA:
I don’t know if I should laugh or cry…
Did you find this article interesting? Follow Graham Cluley on Twitter Or you can read more exclusive content we post on Mastodon.
