On the surface, it’s bizarre that Twitter, under Elon Musk’s ownership, has announced plans to stop people from using SMSbased two-factor authentication (2FA) to secure their accounts. The CEO has said that text message 2FA will now be a feature only for Twitter Blue subscribers or those paying a certain amount a month. In hindsight, the bizarre part is allowing text-message-based 2FA at all. Is it secure?
The 2FA in question here is more secure than not having 2FA at all. It acts as a barrier but if you ask security experts, they would say that the technology puts users at risk because such communications are easily intercepted or redirected by bad actors in so-called SIM swapping attacks. Instead, they would suggest you use an authenticator app-driven 2FA.
USE AN AUTHENTICATOR APP
What Twitter is suggesting users is to switch over to an authenticator app or a security key as an extra layer of protection when logging into your Twitter account.
There are plenty of authenticator apps, like Authy, Google Authenticator, and Microsoft Authenticator. These usually generate one-time passwords (OTP) that change every minute or so. Basically, you add a layer of security provided by an authenticator. Say, I am logging into Twitter. I will be asked for my password and then a passcode generated by the authenticator, which can generate codes for several apps at one go. Every minute the passcode changes, so you are more secure.
Not that authenticator apps are the ultimate when it comes to protection but it’s far safer than SMS 2FA because it’s difficult for a hacker to access a physical device where the authenticator app is installed.
What’s SIM swapping? It’s something that duped former Twitter CEO Jack Dorsey in 2019. A scammer accesses personal details — about a victim by impersonating — from telecom company employees through phishing emails or phone calls, or by buying the information on the dark web. You may think such data is difficult to find. It’s not. There have been data breaches over the years and millions of people have some of their personal information available on the dark web, like their date of birth. (One well-known site that tracks data breaches is Have I Been Pwned.)
In Jack Dorsey’s case, a scammer was able to hack his phone and access Twitter’s textto-tweet service, which allowed users to tweet without logging into Twitter. It’s another thing the hacker was found and arrested but damage could have been done.
SHOULD YOU USE SECURITY KEY?
Twitter has said people have 30 days to turn off SMS-based 2FA and move to another option. The company has also said that the system had been abused by “bad actors” in the past. On March 20, Twitter will “disable” using text messages for two-factor authentication (unless you pay for the privilege)
In case you want even better security than offered by authenticator apps, go for security keys. It’s safe because a key itself verifies the service as valid to help prevent phishing, and it can be more convenient than copying over a constantly rotating code. The problem with security key is that you need to purchase a physical piece of hardware that you insert or connect wirelessly to your phone or computer. There are several brands selling it — Yubico, one of the developers of the FIDO U2F authentication standard, sells several different versions. Google sells its own U2F key, called the Titan. Then there is Thetis key and others.
There’s one more important step. After setting up an authenticator app or hardware key for Twitter, make a note of Twitter’s backup code for your account. The backup code can be used to log in to Twitter if you can’t access your 2FA options, such as losing your phone or security key
At a glance
- Use an authenticator app, like Authy by Twilio, Google Authenticator or LastPass. These generate codes on your mobile device that you can use when you log in. It’s safer than SMS-based 2FA.
- The most secure 2FA option is a physical security key, like Yubikey or Google Titan. It connects to your computer either via the USB port or wirelessly and generates a one-time passcode (OTP) that you can then use to log in to the service.