Changing Twitter’s two-factor authentication ‘doesn’t make sense’

Twitter announced yesterday that from March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to sign in with a username and password, and then an additional “factor” such as a numeric code. Security experts have long advised people to use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing the option for free users has left security experts racking their brains.

Twitter’s two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The Twitter Blue paid service — the only way to get a verified blue tick on Twitter accounts — costs $11 a month on Android and iOS, and less for a desktop-only subscription. Users who opt out of SMS-based two-factor authentication will be able to switch to an authenticator app or a physical security key.

“Although a historically popular form of 2FA, unfortunately we have seen phone number-based 2FA used and abused by attackers,” Twitter wrote in Blog post posted last night. “Therefore, starting today, we are no longer allowing accounts to register in the 2FA text/SMS method unless they are Twitter Blue subscribers.”

IN July 2022 Account Security ReportTwitter said that only 2.6% of its active users use some type of two-factor authentication. Of these users, almost 75 percent used the SMS version. Nearly 29% used authentication apps, and less than 1% added a physical authentication key.

SMS-based two-factor authentication is insecure because attackers can capture victims’ phone numbers or use other methods to intercept texts. But security experts have long emphasized that using two-factor authentication via SMS is significantly better than no second-factor authentication at all.

Increasingly, tech giants like Apple and Google are moving away from SMS two-factor authentication and moving users (usually over many months or years) to other forms of authentication. Researchers fear the Twitter policy change will confuse users as they will have so little time to complete the transition and two-factor SMS will feel like a premium feature.

“The Twitter blog correctly points out that two-factor authentication using text messages is often used by attackers. I agree that it is less secure than other 2FA methods,” says Lorrie Cranor, director of the Carnegie Mellon Beneficial Privacy and Security Lab. “But if their motivation is security, wouldn’t they also want to ensure the security of paid accounts? It doesn’t make sense to allow a less secure method only for paid accounts.”

While the company says its changes to two-factor authentication will go into effect in mid-March, Twitter users with two-factor SMS enabled yesterday began experiencing a pop-up screen advising them to completely remove two-factor authentication or switch to an authentication app or methods. security key.

It’s unclear what will happen if users don’t turn off two-factor SMS by the new deadline. An in-app message to users implies that people who still have two-factor SMS enabled when the change officially happens on March 20 will be locked out of their accounts. “To avoid losing access to Twitter, remove two-factor authentication for text messages by March 19, 2023,” the notice reads. But a Twitter blog post says that two-factor mode will simply be disabled on March 20 if users don’t set it up before then. “After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that time, accounts with text message two-factor authentication enabled will have it disabled.”