Twitter’s Bizarre New Two-Factor Authentication Policy Puts Users at Risk
Reading Time: 4 minutesWhat to Know About Twitter’s Bizarre New Two-Factor Authentication Policy, What to know about Twitter’s new two-factor authentication policy.
On Feb. 15, Twitter announced in a blog post that it will no longer allow users who don’t pay for a Twitter Blue subscription to use text message-based two-factor authentication to protect their accounts. It’s a bizarre decision—and while it’s shrouded in the rhetoric of trying to improve users’ security, the timeline and options available to users suggest that the policy change will have the opposite effect.
There are good security reasons to nudge users away from using two-factor authentication based on text messages. Twitter highlights in its announcement that SMS messages used as a second factor for authentication can also be ‘used—and abused—by bad actors,’ and that’s absolutely true. More than six years ago, the National Institute of Standards and Technology proposed phasing out SMS-based text messages as a form of two-factor authentication, citing concerns that SMS messages (and voice calls) could be intercepted. Text messages and calls sent to specific phone numbers can be relatively easily redirected to new devices using techniques like a SIM swap scam, where a scammer convinces your mobile carrier to transfer your mobile number to one of their own SIM cards using stolen personal information. These types of scams have noticeable impacts on the effectiveness of SMS-based 2FA. For instance, a 2019 Google study of its own users found that SMS-based 2FA blocked only 76 percent of targeted attacks, compared to on-device prompts that blocked 90 percent of targeted attacks.
So, it is safer to deliver two-factor authentication via push notifications in a smartphone app or other on-device prompts, and safer still to use a separate, physical security key as a second factor for authentication. In fact, in 2020, Google shifted its default two-step verification process to use on-device prompts—that is, pop-up notifications that appear on devices where the user was already signed into their Google account—instead of SMS messages or voice calls.
But there are some pretty significant differences between what Google did two and a half years ago and what Twitter is proposing to do now. For one, while Google changed the default two-factor log-in mode for users, it did not eliminate SMS-based authentication, so users who were unable to use on-device prompts (for instance, if they did not have smartphones) were still able to protect their accounts with two-factor authentication. More importantly, Google did not disable two-factor authentication for any accounts as part of its policy change.
By contrast, Twitter announced that on March 20, any accounts with text message 2FA enabled will have it completely turned off. That means that users have only a month to switch to a different form of 2FA or lose it entirely. And the change will affect a large portion of Twitter’s users who have 2FA enabled. According to a 2021 security report, nearly 75 percent of Twitter users with two-factor authentication used SMS, around 29 percent used app-based authentication, and 0.5 percent used physical security keys (users can enable more than one 2FA method). Perhaps the most striking number in the whole report, however, is that only 2.6 percent of active Twitter accounts had a 2FA method enabled at all.
If Twitter actually wanted to improve user security, an obvious first step might be trying to encourage more users to enroll in 2FA in the first place. Though any such effort might be hindered by Twitter’s history with 2FA. Last year, Twitter was fined $150 million by the Federal Trade Commission for using the phone numbers that its users provided for 2FA to target them with ads.
But instead of encouraging more users to enroll in 2FA, or even trying to prompt them to use more secure forms of 2FA like smartphone apps or security keys, Twitter’s new policy seems designed to try to extract some money from the less than 2 percent of its users who use SMS-based 2FA. Some of those users may switch to other forms of 2FA to avoid paying for Twitter Blue, but many others will probably just end up unenrolled from 2FA altogether, given the brief window of time they have to make the switch.
Wired reports that users have already been confronted with in-app pop-ups advising them to remove 2FA entirely or switch to a new mode if they don’t want to lose access to their accounts, but it’s not clear that will be sufficient to notify everyone to whom the changes will apply within the month-long window they have to reconfigure their settings. Certainly, if you’re using SMS-based 2FA on Twitter, this is a good moment to switch to using the authentication app. And if you’re not using 2FA on Twitter, this would also be a good moment to start using their authentication app—while it’s still free!
Most mystifying of all is why Twitter would want to offer its paying subscribers the option for a weaker form of security. By contrast, last year, Google offered paying subscribers access to a physical Titan Security key—a stronger form of 2FA than was available to its free users. Indeed, no part of this policy change seems designed to improve the security of anyone’s Twitter account, whether they are paying subscribers or free users. Some people will switch to safer forms of 2FA, but likely more will be quietly booted out of the security measure all together, leaving the site as a whole more vulnerable. And it won’t do anything to address the much bigger security challenge Twitter faces in encouraging most of its users to turn on 2FA in the first place.
Ref: slate
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG