Twitter is disabling a key security precaution this week - one designed to make it harder for scammers to hijack your account.
Unless you shell out $19 per month for Twitter Blue, you’ll lose access to 2FA (two-factor authentication) by SMS - or a text message sent to your phone - either every time you log on or, selectively; for example, when you (or a baddie) tries to sign in to your Twitter account from a new device.
It’s true the move will save new owner Elon Musk around US$60 million per year (by his own count) - the money his firm paid to phone companies to send authentication texts. But Musk also argues that 2FA by text is prone to exploitation by bad actors (more on which shortly).
Use of free authentication apps for 2FA will remain free and are much more secure than SMS https://t.co/pFMdxWPlai— Elon Musk (@elonmusk) February 18, 2023
Regardless, the Office of the Privacy Commissioner took a swipe at Musk on Wednesday with a release titled “Getting flipped by the bird”.
“The free and easy SMS two-factor authentication (2FA) to log into your Twitter account ends today,” the OPC said.
“That concerns Privacy Commissioner Michael Webster because it takes away one of the most common ways to verify who users are on their free accounts, which puts their privacy at risk.
“All social media platforms have a responsibility to their users in New Zealand and operate here under the Privacy Act... my office deals with privacy breaches daily... it is disappointing to see a readily-accepted, free, easy to use, and easy-to-understand verification step is being taken out of a platform that people enjoy using.”
Paul Brislen, head of the Telecommunications Forum has posted that “2FA is your friend” - but also “use an authenticator not text message to access it”. 2FA by text is convenient - but the text message system was not designed for it.
And the New York Times’ technology correspondent Brian Chen wrote: “Twitter’s announcement of this change was initially confusing and alarming for many. But to be clear, Twitter is pushing users to adopt stronger safeguards - and it has created an opportunity for us all to bite the bullet and improve the security of our online accounts.”
Both Brislen and Chen use a code sent by Google’s (free) Authenticator app as what they say is a safer alternative to 2FA by text (see instructions below).
The Privacy Commissioner did not immediately respond to a query over whether Musk had a point that app-based authentication is safer.
But his original release addressed that point by saying 2FA by text is “free, easy to use, and easy to understand... Twitter said they have taken this step because they had seen phone-number-based two-factor authentication abused. But we are still seeing major institutions that are internet-safety-aware use SMS two-factor authentication”.
Maybe so, but their customers aren’t using it. Going by figures in a 2021 Twitter security report, only 2.6 per cent of Twitter accounts had any form of 2FA enabled (of that subset, 74.4 per cent used SMS as their 2FA, 28.9 per cent used an authenticator report and 0.5 per cent used a security key - which involves plugging in a USB key).
I asked if the Privacy Commissioner had put his concerns to Twitter. A spokesperson said his office did not have a contact at Twitter (where Musk has culled nearly all comms staff and many internet safety and regulatory roles, as part of his push to halve the firm’s workforce). The spokesperson noted that “Musk has said that any inquiries about this are being sent the poo emoji”. The Musk-era Twitter is also snubbing Netsafe.
The Privacy Commissioner’s stance does have support from a leading academic.
“Text-based 2FA does have some potential issues. Basically, someone could access your phone or convince the provider to swap the number,” said David Parry, dean of the School of IT at Western Australia’s Murdoch University (and until recently head of computer science at AUT).
“However, this is pretty low-risk for Twitter since it’s not used for sending cash. So getting rid of it seems like an odd thing to do and would reduce security overall,” he said.
“This will make it harder for normal users to use 2FA at all, which is not good. Security measures are always a tradeoff between convenience and protection - and SMS 2FA seems reasonable for Twitter.”
Parry says it will drive revenue for Twitter if more people pay $19 per month for verification (which will let them keep text-based 2FA), and increase the marketability of Twitter Blue. At the same time, the move would reduce Twitter’s payments to telcos for text-based SMS.
The Privacy Commissioner also gets backing from Auckland University Computer Science Department senior lecturer Dr Rizwan Asghar, who says: “If Musk thinks that phone-number based 2FA can be abused by bad actors then why are they offering it to Twitter Blue subscribers, who actually deserve better security services in my opinion?”
Asghar adds: “Using phone-number-based 2FA is offered by millions. I think Twitter should take a step forward to mitigate issues that result in potential abuses instead of stopping it.”
What is 2FA - and why is authentication via an app better?
“Currently many companies use text messages for two-factor authentication (2FA), which is a great way to prove you are who you say you are. Not only do you know the username and password to the service but you also have that person’s phone and can enter a secret code the bank or service provider sends to you,” Brislen explains.
“While someone might have access to your username and password without you being aware, it’s highly unlikely they’ll also have access to your mobile device, making them an ideal way to provide authentication.
Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages— Elon Musk (@elonmusk) February 18, 2023
“But text messages were never designed with this kind of security element in mind. Sure, they’re encrypted, but many of us have our phones set so urgent messages pop up on the home screen, which means anyone can see them. That’s great for convenience but not so good for security.
“Enter the Authenticator - an app from a third-party provider (mine is from Google but there are others) that provides a rolling screen of authentication codes linked to various accounts. These codes are synchronised with each provider I’ve signed up to, so instead of waiting for a text message I just log on to the app and get them from there. No messages to intercept, no home screen issues, no loss of convenience but much higher levels of secrecy.
“Marketing departments are going to have to make the leap from the exciting world of email and text message spam to a more secure environment to protect their customers. It’s not impossible but it will need a lot of retraining for marketing teams and customers alike. But when you compare that with our current system that allows fake emails, text message scams and increasing fraud, it’s something that we need to do sooner rather than later.”
No 2FA perfect
“No single method of online authentication is perfect, but two-factor authentication remains a great way to quickly boost the security of online accounts - even by text. Cybercriminals have used certain phishing messages to work their way around 2FA login processes. Like most online activities, there are ways that criminals can bypass 2FA security and access your account. For example, lost password recovery usually resets your password via email, and it can completely bypass 2FA,” Norton managing director, ANZ Mark Gorrie said.
“But what is important for Kiwis to understand is the extra step to access an account means thieves have more work to do to successfully breach an account. Even sophisticated cybercriminals look for easy targets and having 2FA enabled makes [cybercriminals] harder work. Norton recommends that you turn on two-factor authentication. Even though it’s not 100 per cent secure, 2FA can bolster your cybersecurity and is a recommended practice.”
Losing your phone - or switching to a new one - can be a hassle
Chen noted: “The big downside to using authenticators is that if you lose your phone or switch to a new one, it can be a pain to regain access to your accounts. Typically a site or app like Twitter will let you regain access to your account with a back-up code. In Twitter’s two-factor authentication settings, one menu labelled ‘back-up codes’ will generate a code to let you log back in. Make sure to jot this code down and store it in a safe place.
“This technique takes some time and mental bandwidth to set up properly and get used to, but it’s better overall. It’s much tougher for someone to hijack your device to see your security codes than it is to intercept a text message.”
Getting started with an authenticator
- The Times’ Chen notes there are a number of authenticator apps, but uses Google Authenticator as an example.
- First, download the Google Authenticator app onto your phone (it’s available via Apple and Google’s app stores, for iPhone or Android). Then, on Twitter.com from a computer, click More→Security and Account Access→Two-Factor Authentication→Authentication App.
- From here, follow the steps on Twitter. You’ll be asked to use the Authenticator app to scan a QR code with your phone camera, which will link the app with your Twitter account and start generating security codes.
- When you log in to Twitter, you’ll enter your username and password and then open the Authenticator app to find the temporary code.
If you want to use your iPhone’s built-in two-factor authenticator specifically with Twitter, here’s what you need to do. In the Twitter app, tap on your profile icon in the top-left and then go to Settings and Support > Settings and privacy > Security and account access > Security > Two-factor authentication.