Checklist 317: Twitter’s Tumultuous 2FA Turn
On this week’s Checklist:
- Twitter nixes 2FA by SMS
- Avoiding scam 2FA apps
2FA, SMS, and Twitter
Last week, Twitter announced that it would no longer allow non-Twitter Blue subscribers to use SMS messages for two-factor authentication (2FA). Twitter users will instead have to use a 2FA authenticator app or a physical security key as their second authentication factor.
Twitter explained its decision on the company blog:
While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used—and abused—by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.
As an aside, if you’re a Twitter user who is switching away from SMS-based 2FA, note that doing this will not dissociate your phone number from your Twitter account. If you would like to do that for better privacy, this Twitter guide will walk you through the process.
Insecurity as a premium offering
Twitter’s decision has perplexed many in the security community.
It’s true that SMS for 2FA has well-known vulnerabilities—the risk of a SIM-swapping attack being the most obvious of these.
But the last time anyone checked, fewer than 3% of active Twitter users were protecting their accounts with any kind of 2FA at all. Of those, the vast majority—75% of them—were using SMS-based 2FA. So it seems likely that Twitter’s move will result in users just ditching 2FA altogether, which security experts agree is far less safe than using the (admittedly imperfect) SMS 2FA method.
Another oddity of Twitter’s decision is that they’re allowing paying “Twitter Blue” users to keep the less-secure 2FA method. As Lorrie Cranor, Director of Carnegie Mellon University’s Usable Privacy and Security Lab, asked in an interview with Wired:
[I]f their motivation is security, wouldn’t they want to keep paid accounts secure too? It doesn’t make sense to allow the less secure method for paid accounts only.
All in all, Twitter’s decision to do away with SMS 2FA seems, at best, poorly communicated!
How to avoid scam 2FA apps
Twitter’s decision has created no small amount of confusion—both in the security community and also among everyday users. And whenever there’s confusion, the scammers have an opportunity to take advantage of people.
Sadly, this may already be taking place. A 9to5Mac article says that the security researcher Mysk has found a number of shady 2FA authenticator apps in the App Store. The researcher is quoted as saying:
All these authenticator apps are free and offer in-app purchases. You install them to discover that you can’t scan any QR code until you subscribe, $40/year with 3 days free trial. The apps are very similar.
At the very least, that sounds like fleeceware. And if a “developer” is shady enough to release a fleeceware app in the App Store, there’s no telling what else that app is going to get up to once installed on your device.
The good news is that there are already robust, reputable, and free 2FA authenticator apps out there. Two of the most popular are Google Authenticator and Authy. In addition, Apple has recently introduced support for physical security keys into its OSes.
To learn more about these more secure 2FA options, check out:
How to use an authenticator app for 2FA on iOS
How to protect your Twitter account without SMS two-factor authentication
Checklist 313: Apple Security Fixes and Features