As Twitter forces customers to take away textual content message 2FA, it’s in peril of lowering safety • Graham Cluley

As Twitter forces users to remove text message 2FA, it's in danger of decreasing security

Many Twitter customers have been introduced with a message telling them that SMS-based two-factor authentication (2FA) will probably be eliminated subsequent month.

In line with Twitter, solely subscribers to its premium Twitter Blue service will be capable to use textual content message-based 2FA to guard their accounts.

Twitter message

Frankly, there’s loads to unpack right here.

Firstly, let’s clarify why 2FA is an effective factor on your account safety.

2FA provides an extra step in the course of the login course of to companies like Twitter. Relatively than simply needing your username and password, websites protected by 2FA additionally ask you to enter a six digit verification code – which adjustments each 30 seconds or so.

The concept is that even when a hacker has managed to search out out what your password is, they don’t know your 2FA code. That’s as a result of the code is shipped to you through SMS, or generated by an app in your cellphone, or presumably even on a {hardware} key.

EmailSignal as much as our publication
Safety information, recommendation, and ideas.

There are nonetheless methods to get round 2FA safety, however it requires much more effort by anybody attempting to interrupt into your account, and likelihood is that almost all attackers merely wouldn’t hassle going the additional mile and discover a better goal as a substitute.

One drawback with SMS-based 2FA (the place the token is shipped through textual content message) is that previously fraudsters have managed to launch a so-called “SIM Swap” assault.

A SIM swap assault is when a scammer manages to trick the customer support employees of a cellphone supplier into giving them management of another person’s cellphone quantity. Generally that is completed by a fraudster reciting private details about their goal to the corporate, tricking them into believing they’re somebody they’re not. When an internet account – reminiscent of Twitter – subsequently sends its authentication token to the person’s cellphone quantity through SMS it results in the palms of the prison.

Victims of SIM swap assaults up to now have included former Twitter boss Jack Dorsey, who had his Twitter account hijacked in 2019.

That is the explanation why organisations just like the US Nationwide Institute for Requirements and Know-how (NIST) stopped recommending SMS-based 2FA years ago, and why it continues to be my least favorite type of 2FA.

However I nonetheless argue that SMS-based 2FA is best than no 2FA in any respect.

And my fear about Twitter’s determination to take away textual content message two-factor authentication kis that it’ll depart a lot of its customers worse protected than earlier than. As a result of many of us will merely comply with Twitter’s recommendation to show it off, and never swap over to another type of 2FA.

Twitter’s motives are to not higher safe its userbase. That is is being completed by Twitter in a determined drive to avoid wasting itself cash, to not enhance the safety of its customers.

If it thinks it would promote extra Twitter Blue subscriptions that appears optimistic in my thoughts. I fear that positioning SMS-based 2FA as being solely accessible to folks ready to pay a month-to-month subscription to Twitter, they might truly be sending out a false message that 2FA through textual content message is definitely the most secure model of 2FA.

Which it actually shouldn’t be.


Beneath Elon Musk’s new rule (and amid big layoffs inside its engineering departments), Twitter seems to have predictably mucked up.

Customers are reporting that once they try and disable textual content message 2FA as requested, they’re seeing the next message.

Twitter fail

I’m undecided whether or not to snigger or cry…

Discovered this text attention-grabbing? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we put up.

Graham Cluley is a veteran of the anti-virus business having labored for a variety of safety corporations because the early Nineteen Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an impartial safety analyst, he frequently makes media appearances and is a global public speaker on the subject of pc safety, hackers, and on-line privateness.
Comply with him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an e-mail.