As Twitter forces customers to take away textual content message 2FA, it’s in peril of reducing safety • Graham Cluley

As Twitter forces users to remove text message 2FA, it's in danger of decreasing security

Many Twitter customers have been introduced with a message telling them that SMS-based two-factor authentication (2FA) will probably be eliminated subsequent month.

In response to Twitter, solely subscribers to its premium Twitter Blue service will be capable of use textual content message-based 2FA to guard their accounts.

Twitter message

Frankly, there’s so much to unpack right here.

Firstly, let’s clarify why 2FA is an effective factor to your account safety.

2FA provides a further step in the course of the login course of to providers like Twitter. Reasonably than simply needing your username and password, websites protected by 2FA additionally ask you to enter a six digit verification code – which modifications each 30 seconds or so.

The concept is that even when a hacker has managed to search out out what your password is, they don’t know your 2FA code. That’s as a result of the code is shipped to you through SMS, or generated by an app in your telephone, or probably even on a {hardware} key.

EmailSignal as much as our publication
Safety information, recommendation, and ideas.

There are nonetheless methods to get round 2FA safety, but it surely requires much more effort by anybody attempting to interrupt into your account, and likelihood is that the majority attackers merely wouldn’t hassle going the additional mile and discover a better goal as a substitute.

One drawback with SMS-based 2FA (the place the token is shipped through textual content message) is that previously fraudsters have managed to launch a so-called “SIM Swap” assault.

A SIM swap assault is when a scammer manages to trick the customer support employees of a cellphone supplier into giving them management of another person’s telephone quantity. Typically that is achieved by a fraudster reciting private details about their goal to the corporate, tricking them into believing they’re somebody they’re not. When a web-based account – akin to Twitter – subsequently sends its authentication token to the person’s telephone quantity through SMS it results in the fingers of the legal.

Victims of SIM swap assaults prior to now have included former Twitter boss Jack Dorsey, who had his Twitter account hijacked in 2019.

That is the rationale why organisations just like the US Nationwide Institute for Requirements and Expertise (NIST) stopped recommending SMS-based 2FA years ago, and why it continues to be my least favorite type of 2FA.

However I nonetheless argue that SMS-based 2FA is healthier than no 2FA in any respect.

And my fear about Twitter’s determination to take away textual content message two-factor authentication kis that it’s going to depart a lot of its customers worse protected than earlier than. As a result of many people will merely observe Twitter’s recommendation to show it off, and never swap over to another type of 2FA.

Twitter’s motives are to not higher safe its userbase. That is is being achieved by Twitter in a determined drive to avoid wasting itself cash, to not enhance the safety of its customers.

If it thinks it’ll promote extra Twitter Blue subscriptions that appears optimistic in my thoughts. I fear that positioning SMS-based 2FA as being solely obtainable to folks ready to pay a month-to-month subscription to Twitter, they might truly be sending out a false message that 2FA through textual content message is definitely the most secure model of 2FA.

Which it actually shouldn’t be.

Addendum

Below Elon Musk’s new rule (and amid big layoffs inside its engineering departments), Twitter seems to have predictably mucked up.

Customers are reporting that once they try and disable textual content message 2FA as requested, they’re seeing the next message.

Twitter fail

I’m undecided whether or not to snicker or cry…

Discovered this text attention-grabbing? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we submit.


Graham Cluley is a veteran of the anti-virus business having labored for numerous safety firms because the early Nineteen Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an impartial safety analyst, he frequently makes media appearances and is a global public speaker on the subject of laptop safety, hackers, and on-line privateness.
Comply with him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an e-mail.