Over the weekend, Twitter caused a security stir when it suddenly decided to discontinue the text message/SMS method of two-factor authentication (2FA) for users who are not subscribed to its paid Twitter Blue service.
In a statement released on Friday, Twitter explained that phone-number based 2FA has been exploited by malicious actors, and therefore the company will no longer allow accounts to enroll in this method unless they are Twitter Blue subscribers. Existing non-Twitter Blue subscribers enrolled in this method will have 30 days to disable it and enroll in an alternative method.
Yesterday, Twitter announced that starting from March 20, users will only be able to use SMS-based two-factor authentication to secure their accounts if they subscribe to Twitter Blue. Two-factor authentication requires users to enter a username and password and then an additional “factor” such as a numeric code. While security experts advise the use of a generator app for these codes, many people opt to receive them in SMS text messages. Thus, Twitter’s decision to remove this option for unpaid users has left experts puzzled. This move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. Twitter is encouraging its unpaid users to explore other 2FA methods, such as authentication apps or security keys.
Twitter Blue is the only way to get a blue verified checkmark on Twitter accounts now and costs $11 per month on Android and iOS and less for a desktop-only subscription. Users who were previously using SMS-based two-factor authentication will be able to switch to an authenticator app or a physical security key.
Twitter stated in a blog post published on Friday evening that while phone-number-based two-factor authentication (2FA) has historically been a popular form of 2FA, it has unfortunately been used and abused by bad actors. As a result, accounts will no longer be allowed to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.
In a July 2022 report on account security, Twitter revealed that only 2.6% of its active users have any type of two-factor authentication enabled. Of those users, nearly 75% were using the SMS version, almost 29% were using authenticator apps, and less than 1% had added a physical authentication key. Although SMS-based two-factor authentication is insecure as attackers can hijack phone numbers or use other techniques to intercept texts, security experts have emphasized that using SMS two-factor is still significantly better than having no second authentication factor enabled.
Tech giants like Apple and Google have eliminated the option for SMS two-factor and transitioned users to other forms of authentication over many months or years. Researchers are concerned that Twitter’s policy change will confuse users by giving them little time to complete the transition and making SMS two-factor seem like a premium feature.
Lorrie Cranor, Director of Carnegie Mellon’s Usable Privacy and Security Lab, agrees with Twitter’s blog post that SMS-based two-factor authentication is frequently abused by bad actors and is less secure than other 2FA methods. However, she questions why Twitter would only disallow SMS-based two-factor authentication for non-Twitter Blue subscribers. She argues that if Twitter’s motivation is security, then they should want to keep paid accounts secure too and not allow the less secure method for paid accounts only.
The changes to two-factor authentication on Twitter will roll out in mid-March, but users with SMS-based two-factor authentication have already started encountering a pop-up overlay screen advising them to either remove two-factor authentication entirely or switch to other methods. It is unclear what will happen if users do not disable SMS-based two-factor authentication by the new deadline. Twitter’s in-app message to users implies that people who still have SMS-based two-factor authentication turned on when the change officially happens on March 20 will be locked out of their accounts. However, Twitter’s blog post states that two-factor authentication will simply be disabled on March 20 if users do not adjust it before then. After March 20, 2023, Twitter will no longer allow non-Twitter Blue subscribers to use text messages as a 2FA method, and accounts with text message 2FA still enabled will have it disabled.
On March 20, Twitter will no longer support accounts with SMS two-factor authentication enabled, but the company has not commented on what will happen to these accounts or whether the policy change will result in a significant loss of two-factor adoption. Some have criticized the decision, suggesting that it undermines users’ security and may not significantly reduce Twitter’s costs. Jim Fenton, an independent identity privacy and security consultant, pointed out that the move would make more sense if Twitter were also announcing support for new authentication mechanisms like passkeys.
While Twitter has cited abuse of phone-number-based 2FA by scammers as a reason for the change, some have also noted reliability issues with Twitter’s SMS two-factor mechanism in the past. Elon Musk has expressed support for the decision on Twitter, citing his ongoing battle against bots on the platform. Twitter Blue subscribers will still be able to use the less secure SMS two-factor authentication method, leading some to question the company’s priorities.
Go to Source
Author: Lily Hay Newman