Twitter-owner Elon Musk’s latest decision to turn off SMS 2FA after 20th March unless you pay for Blue Tick has caused another storm of criticism.
What And Why?
On 15 February, Twitter announced that: “starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2-Factor Authentication unless they are Twitter Blue subscribers.” Twitter Blue is Twitter’s own paid-for authentication service which was ramped-up recently as a way of giving Twitter another revenue stream to get away from its near total reliance upon ad revenue.
Twitter justified the change by saying that: “unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors”.
SMS 2FA Known To Be Insecure
It’s true to say that SMS as a form of 2FA has been known (for several years) to be much less secure for authentication than some other methods. For example, cyber criminals operate SIM jacking and SIM swap hacks and obtain leaked credentials like a username, cracked password, and phone number, enabling them to get past 2FA, e.g. using a password reset and fooling the device.
That said, at least having SMS 2FA is much better and more secure than having no second authentication factor enabled.
Non-Twitter Blue Users Have 30 Days
Twitter also announced that for non-Twitter Blue subscribers (i.e. the vast majority of Twitter users) who are currently using SMS as their 2FA method on the platform, it’s a case of being given 30 days to disable SMS and find another third-party 2FA solution, after which time, SMS 2FA will be switched off. Twitter says that “After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled”.
What Are The Options?
Twitter recommends using an authentication app or security key method instead. Examples of popular authentication apps include Google Authenticator, Microsoft Authenticator, Authy, and LastPass Authenticator. A security key can use a USB based method, or some people connect wirelessly or through Apple’s lightning port. Examples of popular security keys include Yubico Yubikey, Kensington VeriMark USB-C, and Nitrokey FIDO2.
What If You Haven’t Found An Alternative In That Time?
One of the main criticisms within the online storm following the announcement is that if non-Blue Tick users don’t get an alternative in place before 20th March they’ll simply be left with no protection and, presumably, open to security threats.
Others have questioned the fact that if Twitter’s move was motivated by security, wouldn’t they want their paid accounts to have a more secure method of 2FA than SMS too?
What Does This Mean For Your Business?
Although it’s accepted that SMS for 2FA is one of the less secure methods, it seems likely that this change is more about money. For example, the Blue Tick service is a way to create a revenue stream beyond advertising and although it appears a little heavy handed, this announcement may get more Twitter users to sign up.
Also, sending SMS messages costs money and Twitter presumably needs to save more money right now wherever possible. It’s not surprising that many users may feel a little concerned about being given a time limit and being essentially told to go and sort their own security arrangement out but given the troubles at Twitter lately, they may not be too surprised.
That said, one positive aspect may be that it may increase awareness about the different types and brands of authenticators and security key options available and their pros and cons, and it may actually mean that non-Blue Tick accounts will be more secure and less at risk as a result.
By Mike Knight