Twitter’s two-step verification change ‘doesn’t make sense’


Twitter announced yesterday Starting March 20, users will be able to verify their accounts with SMS-based two-factor authentication only if they subscribe to Twitter Blue. Two-factor authentication, or 2FA, requires users to enter a username and password followed by an additional “factor” such as a numeric code. Security experts have long advised people to use a generator app to get these codes. But receiving text messages via SMS is a very popular option, so removing that option for unpaid users has security experts scratching their heads.

Twitter’s two-pronged move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. Paid service Twitter Blue — the only way to get Blue Verified Mark on Twitter accounts — costs $11 a month on Android and iOS, and less for a desktop-only subscription. Users moving away from SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.

“While historically popular with 2FA, unfortunately, we’ve seen phone number-based 2FA being used and abused by bad actors,” Twitter wrote. Blog post It was published last night. “So starting today, we will no longer allow accounts to register via the 2FA text/SMS method unless they are a Twitter Blue subscriber.”

in July 2022 report on account security, Twitter says only 2.6 percent of its active users have any form of two-factor authentication enabled. About 75 percent of these users were using the SMS version. About 29 percent were using authenticator apps and less than 1 percent had added a physical authentication key.

SMS-based two-factor authentication is not reliable because attackers can hack the target’s phone numbers or use other methods to intercept the texts. But security experts have long stressed that using SMS two-factor authentication is far better than enabling a second verification factor at all.

Increasingly, tech giants like Apple and Google have removed SMS’s two-factor authentication and migrated users (usually over several months or years) to other forms of authentication. Researchers worry that Twitter’s policy change will confuse users by giving them too little time to complete the transition and make SMS seem like a two-step mainstream feature.

“Twitter’s blog is correct in pointing out that two-factor authentication using text messages is frequently abused by bad actors. I agree that it’s less secure than other 2FA methods,” says Lori Cranor, director of the Privacy and Security Lab at Carnegie Mellon. “But if their motivation is security, Don’t want to secure accounts payable too?It doesn’t make sense to only allow a less secure method for accounts payable.

While the company says the two-step changes will roll out in mid-March, Twitter users with SMS two-factor enabled started seeing a pop-up overlay screen yesterday that prompted them to remove two things entirely, or to “verify app or security key methods.”

It is not clear what will happen if users do not disable SMS two-step by the new deadline. An in-app message to users will indicate that people who still have SMS two-step enabled will be locked out of their accounts when the change goes live on March 20. “To avoid losing access to Twitter, remove two-step verification by March 19, 2023,” the notification said. But if users of Twitter’s blog posts don’t edit them before then, they’ll be easily disabled on March 20 for two reasons. “After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that point, text message 2FA-enabled accounts will still be disabled.”


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen − 4 =