cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
denbesten
Community Champion

Twitter eliminates SMS for 2FA

Today, twitter announced:

 

... To date, we have offered three methods of 2FA: text message, authentication app, and security key. ... we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. ... After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled....

I do applaud them for upping the ante, although it does seem odd to allow paid subscribers (a.k.a. high-value accounts) to continue enrolling in a method one considers insecure.  I know ... if the question does not make sense, the answer is "money".

 

No comment on Twitter's other business decisions as of late because this Community focuses solely on security topics.

4 Replies
JoePete
Advocate I


@denbesten wrote:

I do applaud them for upping the ante, although it does seem odd to allow paid subscribers (a.k.a. high-value accounts) to continue enrolling in a method one considers insecure. 


I admit to being not very well versed in the Twittersphere, but are these supposedly the "verified" accounts? Maybe the rationale is that they have somehow confirmed the phone numbers. Or, as you say, it could be just about the dollars (which probably is more likely).

 

I think the fallacy with these circumstances is that giving your phone number to these services - which have been and will continue to be targets - somehow improves your security. You are giving up more information about yourself and enabling your phone as a vector of attack. Instead, if you just focus on good unique, passwords that you change frequently enough, you will be much better off than essentially publishing your cell phone to some future data breach. Unfortunately, it is getting to the stage where everyone is demanding "2FA" (and it's not really 2FA) by insisting you give them more information about yourself in order to secure a some trivial account.

denbesten
Community Champion


@JoePete wrote:
Maybe the rationale is that they have somehow confirmed the phone numbers. Or, as you say, it could be just about the dollars (which probably is more likely).

Yup, per management is all about the money.  

 


Unfortunately, it is getting to the stage where everyone is demanding "2FA" (and it's not really 2FA) by insisting you give them more information about yourself in order to secure a some trivial account.

Of Twitter's previous choices, SMS is the only one that requires sharing "personal information". TOTP uses a shared-secret "seed" and FIDO shares the public portion of a keypair.  

 

My idea of unfortunate is that my financial service providers (e.g. the stuff I most want to protect) tend to be the ones requiring MFA, but only supporting SMS.  And often times, I can't mitigate risk with a great password because they limit character count or prohibit "pasting".

Early_Adopter
Community Champion

I’ve seen this many times in the shady/murky world of product management.

 

”You’d like to be able to export logs..? … Right …please buy this additional product that allows you to export your logs from the other product that doesn’t have anything to do with the one you are using…”

Real world example of trying to drive adoption of a new module via a spurious argument. It didn’t end well.

 

I think what we see here is a reverse action.

 

”You’d like to keep that functionality..? It’s not good fo you you know… OK, still, we’ll look we’re really keen on subscriptions here…”

 

From Twitter we’ve seen the request for monnage to “keep ur tick”, so it’s not a bad play for the cynical/lazy PM looking to Dyson up some loose change.

 

 

denbesten
Community Champion


@JoePete wrote
publishing your cell phone to some future data breach. 

Great way of phrasing it!


Malicious compliance is your friend here.  Amateurs might enter false data. But I do it the Master Class way.  I have effectively a "burner number".  I use this to register for loyalty/discount cards, with services like Twitter and everyone else that wants a number but has no business calling me.  I implemented using a low-cost VOIP provider that can receive texts and voice mails onto their website.  And when needed a simple config change will forward calls/texts to my true mobile number.

 

They get an honest-to-God working phone number but remain unable to interrupt me without my consent.

 

Today, I learned that one can delete a phone number from a Twitter profile. Now, my number only exists in their backups.  Until today, I had multiple MFA options registered (to avoid lockout).  Since I am too cheap to pay for a blue checkmark, the sole benefit to them having my burner number is gone.