• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

I Like Kill Nerds

The blog of Australian Front End / Aurelia Javascript Developer & brewing aficionado Dwayne Charrington // Aurelia.io Core Team member.

  • Home
  • Aurelia 2
  • Aurelia 1
  • About
  • Aurelia 2 Consulting/Freelance Work

The Twitter Blue 2fa Fiasco

Technology · February 19, 2023

Since taking the helm of Twitter, Chief Twit and manical entrepreneur Elon Musk has ruffled some feathers. From losing advertisers to claims he asked engineers to boost his popularity on the platform, it has been a wild ride.

The latest wild ride is Twitter has announced two factor authentication using text messages will be a Twitter Blue only feature. There is this image circulating and people are upset.

Is Twitter disabling text message two-factor authentication a security threat? Well, it is if you don’t configure something else in its place. Install Authy and spend the 2 minutes configuring it. Problem solved.

Now, here is the thing. Twitter isn’t monetising all forms of 2fa, just text messages. You can still use an authenticator app like Authy or Google Authenticator. That’s what everyone should be using anyway. Twitter are doing users using this insecure form of security a solid here.

Text messaging is very insecure. Over the years, there have been many high-profile attacks because of sim swapping especially. Jack Dorsey (the ex-CEO of Twitter) famously fell victim to a sim-swapping attack that saw hackers gain access to his Twitter account.

Not many people probably realise this, but text messages are highly-insecure forms of communication. They are sent plaintext over cellular networks, and it is possible to intercept them using easily available hardware and software online.

While it hasn’t been said out loud, the reason Twitter appears to be doing this is for cost-related reasons. It costs money to send text messages and based on the intensity of the backlash, it appears a lot of people used this form of 2fa (which I find quite worrying).

So, the irony of this situation is that Twitter is doing non-paid subscribers a favour here by not allowing them to use one of the most insecure forms of 2fa around. Are text messages convenient? Absolutely. But, is it any less steps opening up an authentication app to get a code? No. Instead of a text message, it’s an authenticator app. Am I missing something here?

Dwayne

Leave a Reply Cancel reply

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
kevmeister68
kevmeister68
1 month ago

This was absolutely done with the intention of saving money. Some phones have the ability (I don’t know on what basis) to scrape the number out of a text message and enter it for you. Authenticators generally don’t have that capability. And yes, SMS has vulnerabilities, but for the vast majority of twitter users, it’s sufficient to prevent opportunistic “thieving” of an account.

The ironic and stupid thing here is that if we presume Twitter Blue users are more likely to be the ones with larger groups of followers, you’d think they should be the ones forced to use an Authenticator App, since compromise of popular accounts far outweighs a compromise of someone with a handful of followers. (In any event, if they understood the security implications of SMS, they’d probably be using an Authenticator already).

0
kevmeister68
kevmeister68
1 month ago

One other thing — which does not apply in the Twitter case it would seem. There appears to be a propensity in some situations for companies to have their own Authenticator apps. Microsoft has one (which it fortunately self-launches on my iPhone), Fortinet has one. It’s going to get ridiculous if a lot of sites start requiring their own authenticator app.

0

Primary Sidebar

Popular

  • Thoughts on the Flipper Zero
  • I Joined Truth Social Using a VPN and Editing Some HTML to Bypass the Phone Verification
  • How To Install Eufy Security Cameras Without Drilling or Using Screws
  • How To Get The Hash of A File In Node.js
  • Wild Natural Deodorant Review
  • The Most Common iPhone Passcodes (and how to guess them)
  • How to Record With the Neural DSP Quad Cortex in Reaper (DI and USB Recording)
  • NBN Box Installed Inside of Garage, Where Do You Put The Modem?
  • Neural DSP Reveal Details About the Long-Awaited Quad Cortex Desktop Editor
  • Improving The Coopers Australian Pale Ale Extract Tin (and other tips)

Recent Comments

  • CJ on Microsoft Modern Wireless Headset Review
  • Dwayne on Microsoft Modern Wireless Headset Review
  • CJ on Microsoft Modern Wireless Headset Review
  • john on Microsoft Modern Wireless Headset Review
  • Dwayne on Why You Should Be Using globalThis Instead of Window In Your Javascript Code

Copyright © 2023 · Dwayne Charrington · Log in

wpDiscuz