Twitter Eliminates SMS 2FA for Non-Paying Users
Twitter has many years of “puzzling” behavior around security. In 2022 Twitter paid a $150M civil penalty because of “misrepresentation” of actions it was required to take because of privacy violations as far back as 2011. Also in 2022, former Twitter CISO Peiter “Mudge” Zatko testified to the US Senate Judiciary Committee about Twitter management’s refusal to deal with essential security hygiene issues and personnel issues. Under new ownership, Twitter has made moves that are only “puzzling” if you are looking for increases in security vs. increases in Twitter revenue and reduction of losses. Any business use of Twitter needs to be accompanied by dedicated brand awareness/security efforts to quickly detect misuse or compromise.
This is more about finding additional ways to monetize Twitter as opposed to security. Yes, SIM swapping is a thing, but its successful use is incredibly small given the large-scale use of SMS as a second factor of authentication. The inconvenience [if one can call it that] of moving to a different second factor for authentication will likely drive users to Twitter Blue.
When was the last time you looked at your accounts and made sure you had enabled any MFA options? Have you gone back to the ones using SMS to see if there is an alternative? Lastly make sure you understand the recovery process, both for your account and your authentication app or device. Then test this when you have time for it to go wrong.
Non-paying twitter users are still able to use the arguably more secure authenticator app or token as a second factor.
There are better 2FA solutions available than SMS. However, to many uses SMS 2FA is simple and easy to use. Removing SMS 2FA is very much a retrograde step which will leave many accounts more vulnerable as they either won’t pay for Twitter Blue or won’t adopt alternative MFA solutions such as Apps due to their poor user experience and cumbersomeness. It will also be interesting to see how European data protection regulators will view this move by Twitter and if they will be of the opinion that this is weakening security for many accounts.
Given the implication of passwords in breaches, we should be encouraging the use of strong authentication, not pricing it. One infers that this decision is not about security.
William Hugh Murray
Read more in
Bleeping Computer: Twitter gets rid of SMS 2FA for non-Blue members — What you need to do
Gov Infosecurity: Twitter to Charge for Second-Factor Authentication