Twitter’s sudden choice to disable SMS-based two-factor authentication (2FA) for all customers besides subscribers of its paid Twitter Blue service has infuriated safety specialists and additional tarnished the social media big’s already considerably doubtful popularity for safeguarding customers of its providers.
Twitter, on Feb. 15, introduced that in 30 days it could disable text-message primarily based — or SMS-based — 2FA for all however paying Twitter Blue subscribers. “After 20 March 2023, we are going to not allow non-Twitter Blue subscribers to make use of textual content messages as a 2FA methodology,” the corporate stated. “At that point, accounts with textual content message 2FA nonetheless enabled could have it disabled.”
Several analysts view the transfer as ill-conceived and weakening protections for the hundreds of thousands of customers that presently use the two-factor possibility when accessing their Twitter accounts. Even those that agree with Twitter’s view about textual content message-based authentication mechanisms being considerably inclined to assault nonetheless understand it as providing magnitudes extra safety than not having a second issue in any respect.
Twitter’s Ill-Conceived Move
“The optics are definitely dangerous,” says Richard Stiennon, chief analysis analyst at IT-Harvest. “This transfer appears to place a worth on higher safety for Twitter which is the poster youngster for account takeover assaults relationship again to 2008 when a script kiddie in California ran John the Ripper in opposition to movie star accounts to guess their passwords.”
The firm urged customers that also need to allow 2FA for his or her Twitter accounts to think about using an authentication app or safety key/token as their second issue. Authentication apps are cellular apps that generate a one-time password or key that customers can use along with their password when accessing an account on which they’ve enabled two-factor authentication. Examples embody Google Authenticator, Microsoft Authenticator, and LastMove Authenticator.
Security keys are often a bodily gadget — like a USB dongle — that customers can use to confirm their id when logging into an account. “These strategies require you to have bodily possession of the authentication methodology and are a good way to make sure your account is safe,” Twitter stated.
Steinnon notes, “Using an authenticator app is healthier [than text-based 2FA], however there’ll by no means be a lot of customers except Twitter makes such an app a requirement and makes it obtainable at no cost.”
Raising Questions About Text-Based 2FA
The social media firm’s transient assertion saying its choice to cease SMS authentication alluded to issues over the safety of the method as the principle motivation: “While traditionally a well-liked type of 2FA, sadly we’ve seen phone-number primarily based 2FA be used — and abused — by dangerous actors.”
The widespread use of cellular units for SMS-based 2FA authentication for example has pushed a rise in so referred to as SIM-swapping assaults, the place a menace actor transfers one other particular person’s cellphone quantity to their SIM card to allow them to intercept the SMS authentication messages used for 2FA. Concerns over weaknesses in cellular networks permitting attackers to intercept SMS messages and use it to interrupt into 2FA protected accounts have continued for years, as have calls to switch it with stronger token and app primarily based token turbines.
Nonetheless, Stiennon and others dismiss that clarification as not being sufficient purpose to disable the choice for anybody that desires to make use of it. “For extremely focused assaults, it’s true that SMS will be intercepted by decided attackers,” he says, noting that such assaults are uncommon.
An Attempt to Raise Revenue?
John Pescatore, director of rising safety tendencies on the SANS Institute, says Twitter’s transfer is considerably akin to a financial institution insisting that customers of a free checking account solely enter their PIN — and never their ATM card as nicely — to make use of an ATM machine. “While SMS messaging as 2FA is much less safe than tokens, trusted apps, or different phishing-resistant varieties, it’s nonetheless a lot safer than reusable passwords,” he says.
“The solely justification for what they’re doing is an try to boost income,” Pesactore tells Dark Reading. Otherwise, why would they permit a supposedly much less safe authentication solely be obtainable to their paid subscribers, he factors out.
A transparency report that Twitter launched in December 2021 confirmed at the moment that some 2.4% of energetic Twitter accounts had enabled 2FA. Of that, 74.4% used SMS authentication, 28.9% used an authentication app, and 0.5% had a safety key. Based on these numbers (the latest), solely a comparatively small proportion of Twitter’s energetic accounts would seem immediately impacted by Twitter’s latest choice — although, in fact, adoption may have elevated since 2021. Still, some see it as one other indication of what they understand as Twitter’s cavalier perspective towards person safety. Earlier this yr, in spite of everything, an obvious API endpoint compromise at Twitter allowed an attacker to steal knowledge on some 200 million Twitter customers and put it up on the market on an underground discussion board.
“Twitter has a persistently poor report round safety,” Pescatore notes. Last yr, for example, the Federal Trade Commission assessed a $150 million civil penalty over the corporate not taking steps required of them to repair issues that brought on privateness violations relationship again years, he says. Those violations needed to do with Twitter utilizing cellphone numbers and e mail addresses that it collects for 2FA to ship focused promoting as a substitute.
“Under new possession, this yr they first tried to extend income by giving verified id standing to anybody prepared to pay $8,” Pescatore provides.
Coming Under the Microscope
As if the corporate’s safety challenges weren’t dangerous sufficient, Elon Musk’s controversial management of Twitter has additionally put the corporate’s each transfer underneath the microscope.
“As with something to do with Twitter these days, the broader context for his or her selections invitations quite a lot of controversy from all around the political spectrum,” says Fernando Montenegro, an analyst with Omdia.
With the newest transfer, there is a common understanding that SMS 2FA is much less proof against some assaults than the authenticator apps or safety keys. So getting customers to maneuver in the direction of “higher” MFA is an effective factor for doubtlessly bettering resilience in opposition to these assaults, he provides. “It’s additionally a call that saves Twitter cash, as they are going to not be sending MFA SMS messages to accounts that aren’t subscribers,” Montenegro says.
The key query right here is whether or not individuals use SMS as a result of it is simpler to set it up or simply as a result of they do not know about alternate options, he factors out. “If the previous, and Twitter would not make the method simpler, then safety is more likely to undergo. If the latter, then their choice can truly end in extra individuals figuring out about different choices for MFA and turning these on.”