Twitter-owner Elon Musk’s latest decision to turn off SMS 2FA after 20 March unless you pay for Blue Tick has caused another storm of criticism.
What And Why?
On 15 February, Twitter announced that: “starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2-Factor Authentication unless they are Twitter Blue subscribers.” Twitter Blue is Twitter’s own paid-for authentication service which was ramped-up recently as a way of giving Twitter another revenue stream to get away from its near total reliance upon ad revenue.
Twitter justified the change by saying that: “unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors”.
SMS 2FA Known To Be Insecure
It’s true to say that SMS as a form of 2FA has been known (for several years) to be much less secure for authentication than some other methods. For example, cyber criminals operate SIM jacking and SIM swap hacks and obtain leaked credentials like a username, cracked password, and phone number, enabling them to get past 2FA, e.g. using a password reset and fooling the device.
That said, at least having SMS 2FA is much better and more secure than having no second authentication factor enabled.
Non-Twitter Blue Users Have 30 Days
Twitter also announced that for non-Twitter Blue subscribers (i.e. the vast majority of Twitter users) who are currently using SMS as their 2FA method on the platform, it’s a case of being given 30 days to disable SMS and find another third-party 2FA solution, after which time, SMS 2FA will be switched off. Twitter says that “After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled”.
What Are The Options?
Twitter recommends using an authentication app or security key method instead. Examples of popular authentication apps include Google Authenticator, Microsoft Authenticator, Authy, and LastPass Authenticator. A security key can use a USB based method, or some people connect wirelessly or through Apple’s lightning port. Examples of popular security keys include Yubico Yubikey, Kensington VeriMark USB-C, and Nitrokey FIDO2.
What If You Haven’t Found An Alternative In That Time?
One of the main criticisms within the online storm following the announcement is that if non-Blue Tick users don’t get an alternative in place before 20 March they’ll simply be left with no protection and, presumably, open to security threats.
Others have questioned the fact that if Twitter’s move was motivated by security, wouldn’t they want their paid accounts to have a more secure method of 2FA than SMS too?
What Does This Mean For Your Business?
Although it’s accepted that SMS for 2FA is one of the less secure methods, it seems likely that this change is more about money. For example, the Blue Tick service is a way to create a revenue stream beyond advertising and although it appears a little heavy handed, this announcement may get more Twitter users to sign up. Also, sending SMS messages costs money and Twitter presumably needs to save more money right now wherever possible. It’s not surprising that many users may feel a little concerned about being given a time limit and being essentially told to go and sort their own security arrangement out but given the troubles at Twitter lately, they may not be too surprised. That said, one positive aspect may be that it may increase awareness about the different types and brands of authenticators and security key options available and their pros and cons, and it may actually mean that non-Blue Tick accounts will be more secure and less at risk as a result.
About us and this blog
We are a IT solutions and support company. In our BLOG you can find more information about services and solutions we provide and learn how they can benefit you and your business.
We offer professional IT support for small and medium size businesses, as well as support home based businesses.
To check how we can help improve your security and productivity, request your FREE IT health check today!
Categories
Archives
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
More from our blog
See all postsTags
Categories
- Brand development (4)
- Business advice (19)
- education (14)
- News (987)
- Uncategorized (14)