Security experts are unanimous that using SMS-based two-factor authentication (2FA) is insecure and puts users at risk of compromise – SMS-based communications are too easily intercepted or redirected by malicious actors in so-called SIM swapping attacks, and the time to move away from this outdated and unsafe technology has long since passed.
So if one accepts Twitter’s announcement that it plans to remove SMS-based 2FA as an option for non-paying users on 20 March 2023 at face value, it is easy to read it as an entirely sensible and reasonable attempt to nudge users towards more secure MFA options, such as the use of a mobile application or a physical security key. It seems like a logical decision.
But it is no longer clear if Twitter is taking decisions on a logical basis; the social media platform has been plagued by a myriad of problems, many of them cyber security and compliance issues, since its takeover by erratic billionaire Elon Musk in 2022.
Many of these issues are widely thought to have been caused by Musk’s tendency to make spur-of-the-moment decisions on a whim, and there is some suggestion that this latest policy change may be one such decision, made to address one specific problem – possibly the expense of offering SMS 2FA – but without thought to the wider ramifications.
For one thing, the decision to allow paying users to retain the ability to use an insecure authentication method as a premium feature makes no sense, and nor has Twitter done anything to incentivise users to start paying for its premium “Blue” tier.
As such, said Andy Kays, CEO of Socura, a supplier of managed detection and response (MDR) services, it will shortly be “Christmas come early” for fraudsters.
Everyone knows SMS-based 2FA has its flaws, explained Kays, but because it is easier – and usually cheaper – to use, it has become a security feature of great value to the lay population.
“In the short term, the removal of 2FA could be harmful, especially among less tech-savvy social media users,” said Kays. “Most people will switch from using SMS 2FA to using no form of 2FA whatsoever. They will be far less secure as a result, and a prime target for fraudsters, cyber criminals and identity thieves.”
“In the long term, we can only hope that this move is the catalyst for universal authentic app adoption. It is true that authenticator apps are a much better form of 2FA, but users should have been encouraged to switch at their own free will over a period of time, not forced to do so,” he said.
Alexander Heid, chief research and development officer at security rating specialist SecurityScorecard, said: “When SMS-based 2FA is disabled on 20 March, there may be a small percentage of non-paying users experience account takeovers if they have been reusing passwords that are circulating on public data breaches and relying solely on SMS-based 2FA to keep their account secure.
“If a person is in the habit of reusing old passwords, it is advised to change your password regardless of the 20 March switchover.
However, he added: “It has been reported that only 2.6% of Twitter users make use of 2FA – so only a small portion of overall Twitter users will be impacted by these changes.”
If you are currently using SMS-based 2FA to log in to Twitter and would prefer not to be made to pay to retain the use of an insecure service, Twitter will continue to make two other options available, both of which are worth considering.
The most secure 2FA option for Twitter is a physical security key – such as Yubikey by Yubico or Google Titan – a small device that connects to your computer, either via the USB port or wireless connectivity, to generate a one-time passcode (OTP) that you can then use to log in to the service.
Physical keys are considered highly secure because they must be in your possession, and cannot be easily bypassed should a cyber criminal have compromised your Twitter credentials.
An authenticator application – such as Authy by Twilio, Google Authenticator or LastPass – works on a similar principle but generates codes on your mobile device that you can use when you log in to Twitter.
Such apps still provides a decent level of protection should your credentials have been compromised somehow, but are vulnerable if your mobile is stolen and impractical if your mobile is lost.