Since taking the helm of Twitter, Chief Twit and manical entrepreneur Elon Musk has ruffled some feathers. From losing advertisers to claims he asked engineers to boost his popularity on the platform, it has been a wild ride.
The latest wild ride is Twitter has announced two factor authentication using text messages will be a Twitter Blue only feature. There is this image circulating and people are upset.
Is Twitter disabling text message two-factor authentication a security threat? Well, it is if you don’t configure something else in its place. Install Authy and spend the 2 minutes configuring it. Problem solved.
Now, here is the thing. Twitter isn’t monetising all forms of 2fa, just text messages. You can still use an authenticator app like Authy or Google Authenticator. That’s what everyone should be using anyway. Twitter are doing users using this insecure form of security a solid here.
Text messaging is very insecure. Over the years, there have been many high-profile attacks because of sim swapping especially. Jack Dorsey (the ex-CEO of Twitter) famously fell victim to a sim-swapping attack that saw hackers gain access to his Twitter account.
Not many people probably realise this, but text messages are highly-insecure forms of communication. They are sent plaintext over cellular networks, and it is possible to intercept them using easily available hardware and software online.
While it hasn’t been said out loud, the reason Twitter appears to be doing this is for cost-related reasons. It costs money to send text messages and based on the intensity of the backlash, it appears a lot of people used this form of 2fa (which I find quite worrying).
So, the irony of this situation is that Twitter is doing non-paid subscribers a favour here by not allowing them to use one of the most insecure forms of 2fa around. Are text messages convenient? Absolutely. But, is it any less steps opening up an authentication app to get a code? No. Instead of a text message, it’s an authenticator app. Am I missing something here?