Twitter’s sudden decision to disable SMS-based two-factor authentication (2FA) for all users except subscribers of its paid Twitter Blue service has infuriated security experts and further tarnished the social media giant’s already somewhat dubious reputation for protecting users of its services.
Twitter, on Feb. 15, announced that in 30 days it would disable text-message based — or SMS-based — 2FA for all but paying Twitter Blue subscribers. “After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method,” the company said. “At that time, accounts with text message 2FA still enabled will have it disabled.”
Several analysts view the move as ill-conceived and weakening protections for the millions of users that currently use the two-factor option when accessing their Twitter accounts. Even those who agree with Twitter’s view about text message-based authentication mechanisms being somewhat susceptible to attack still perceive it as offering magnitudes more protection than not having a second factor at all.
Twitter’s Ill-Conceived Move
“The optics are certainly bad,” says Richard Stiennon, chief research analyst at IT-Harvest. “This move seems to put a price on better security for Twitter which is the poster child for account takeover attacks dating back to 2008 when a script kiddie in California ran John the Ripper against celebrity accounts to guess their passwords.”
The company urged users that still want to enable 2FA for their Twitter accounts to consider using an authentication app or security key/token as their second factor. Authentication apps are mobile apps that generate a one-time password or key that users can use in addition to their password when accessing an account on which they have enabled two-factor authentication. Examples include Google Authenticator, Microsoft Authenticator, and LastPass Authenticator.
Security keys are usually a physical device — like a USB dongle — that users can use to verify their identity when logging in to an account. “These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure,” Twitter said.
“Using an authenticator app is better [than text-based 2FA],” Steinnon notes, “but there will never be a large number of users unless Twitter makes such an app a requirement and makes it available for free.”
Raising Questions About Text-Based 2FA
The social media company’s brief statement announcing its decision to stop SMS authentication alluded to concerns over the security of the process as the main motivation: “While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors.”
The widespread use of mobile devices for SMS-based 2FA authentication, for instance, has driven an increase in so called SIM-swapping attacks, where a threat actor transfers another individual’s phone number to their SIM card so they can intercept the SMS authentication messages used for 2FA. Concerns over weaknesses in mobile networks allowing attackers to intercept SMS messages and use it to break into 2FA protected accounts have persisted for years, as have calls to replace it with stronger token and app based token generators.
Nonetheless, Stiennon and others dismiss that explanation as not being enough reason to disable the option for anyone that wants to use it. “For highly targeted attacks, it is true that SMS can be intercepted by determined attackers,” he says, noting that such attacks are rare.
An Attempt to Raise Revenue?
John Pescatore, director of emerging security trends at the SANS Institute, says Twitter’s move is somewhat akin to a bank insisting that users of a free checking account only enter their PIN — and not their ATM card as well — to use an ATM machine. “While SMS messaging as 2FA is less secure than tokens, trusted apps, or other phishing-resistant forms, it is still so much more secure than reusable passwords,” he says.
“The only justification for what they are doing is an attempt to raise revenue,” Pesactore tells Dark Reading. Otherwise, why would they allow a supposedly less secure authentication only be available to their paid subscribers, he points out.
A transparency report that Twitter released in December 2021 showed at that time that some 2.4% of active Twitter accounts had enabled 2FA. Of that, 74.4% used SMS authentication, 28.9% used an authentication app, and 0.5% had a security key. Based on those numbers (the most recent), only a relatively small proportion of Twitter’s active accounts would appear directly impacted by Twitter’s recent decision — though, of course, adoption could have increased since 2021. Still, some see it as another indication of what they perceive as Twitter’s cavalier attitude toward user security. Earlier this year, after all, an apparent API endpoint compromise at Twitter allowed an attacker to steal data on some 200 million Twitter users and put it up for sale on an underground forum.
“Twitter has a consistently poor record around security,” Pescatore notes. Last year, for instance, the Federal Trade Commission assessed a $150 million civil penalty over the company not taking steps required of them to fix problems that caused privacy violations dating back years, he says. Those violations had to do with Twitter using phone numbers and email addresses that it collects for 2FA to deliver targeted advertising instead.
“Under new ownership, this year they first tried to increase revenue by giving verified identity status to anyone willing to pay $8,” Pescatore adds.
Coming Under the Microscope
As if the company’s security challenges were not bad enough, Elon Musk’s controversial leadership of Twitter has also put the company’s every move under the microscope.
“As with anything to do with Twitter nowadays, the broader context for their decisions invites a lot of controversy from all over the political spectrum,” says Fernando Montenegro, an analyst with Omdia.
With the latest move, there’s a general understanding that SMS 2FA is less resistant to some attacks than the authenticator apps or security keys. So getting users to move towards “better” MFA is a good thing for potentially improving resilience against these attacks, he adds. “It’s also a decision that saves Twitter money, as they will no longer be sending MFA SMS messages to accounts that are not subscribers,” Montenegro says.
The key question here is whether people use SMS because it’s easier to set it up or just because they don’t know about alternatives, he points out. “If the former, and Twitter doesn’t make the process easier, then security is likely to suffer. If the latter, then their decision can actually result in more people knowing about other options for MFA and turning those on.”