Since taking the helm of Twitter, Chief Twit and manical entrepreneur Elon Musk has ruffled some feathers. From losing advertisers to claims he asked engineers to boost his popularity on the platform, it has been a wild ride.
The latest wild ride is Twitter has announced two factor authentication using text messages will be a Twitter Blue only feature. There is this image circulating and people are upset.
Is Twitter disabling text message two-factor authentication a security threat? Well, it is if you don’t configure something else in its place. Install Authy and spend the 2 minutes configuring it. Problem solved.
Now, here is the thing. Twitter isn’t monetising all forms of 2fa, just text messages. You can still use an authenticator app like Authy or Google Authenticator. That’s what everyone should be using anyway. Twitter are doing users using this insecure form of security a solid here.
Text messaging is very insecure. Over the years, there have been many high-profile attacks because of sim swapping especially. Jack Dorsey (the ex-CEO of Twitter) famously fell victim to a sim-swapping attack that saw hackers gain access to his Twitter account.
Not many people probably realise this, but text messages are highly-insecure forms of communication. They are sent plaintext over cellular networks, and it is possible to intercept them using easily available hardware and software online.
While it hasn’t been said out loud, the reason Twitter appears to be doing this is for cost-related reasons. It costs money to send text messages and based on the intensity of the backlash, it appears a lot of people used this form of 2fa (which I find quite worrying).
So, the irony of this situation is that Twitter is doing non-paid subscribers a favour here by not allowing them to use one of the most insecure forms of 2fa around. Are text messages convenient? Absolutely. But, is it any less steps opening up an authentication app to get a code? No. Instead of a text message, it’s an authenticator app. Am I missing something here?
This was absolutely done with the intention of saving money. Some phones have the ability (I don’t know on what basis) to scrape the number out of a text message and enter it for you. Authenticators generally don’t have that capability. And yes, SMS has vulnerabilities, but for the vast majority of twitter users, it’s sufficient to prevent opportunistic “thieving” of an account.
The ironic and stupid thing here is that if we presume Twitter Blue users are more likely to be the ones with larger groups of followers, you’d think they should be the ones forced to use an Authenticator App, since compromise of popular accounts far outweighs a compromise of someone with a handful of followers. (In any event, if they understood the security implications of SMS, they’d probably be using an Authenticator already).
One other thing — which does not apply in the Twitter case it would seem. There appears to be a propensity in some situations for companies to have their own Authenticator apps. Microsoft has one (which it fortunately self-launches on my iPhone), Fortinet has one. It’s going to get ridiculous if a lot of sites start requiring their own authenticator app.