In yet another controversial policy move, Twitter announced this week that it’s removing text-based 2FA (two-factor authentication) for non-paying users.
The log-in mechanism is designed to protect people’s accounts from scammers by requiring them to provide second piece of information in addition to a password. This is typically a code generated in an app, sent to an email address or delivered by text message.
2FA is considered an essential part of online security, but Twitter announced last week that text message authentication would soon be available only to users who have paid for a premium subscription.
The move was met with anger and confusion from users who are once again being asked to pay for something that has until now been free. But Twitter defended its decision by saying that it was necessary to protect the site from “bad actors” who have abused the system.
Twitter didn’t explain how exactly those bad actors abused the system, but T(w)itter Takeover News (not affiliated with the genuine account) claimed that telecoms providers used bot accounts to spam the site with 2FA authentication requests.
The social media giant has apparently been losing $60 million a year to these scams, a claim that CEO Elon Musk later corroborated.
Does any of this make sense?
If you’re having trouble wrapping your head around Twitter’s decision, you’re not alone. Leaving to one side the question of why telecoms companies (rather than scammers) are to blame, or why text-messaging alerts apparently cost so much, or whether these scams are related to the sudden outages Twitter experienced days after Elon Musk ordered the removal of “microservices bloatware”, which temporarily removed 2FA and locked users out of their site, nothing about this decision makes much sense.
The problems stem from the way Twitter announced the decision. It has focused on the costs that Twitter incurs as a result of SMS-based authentication, when the real threat is to users.
SMS is a bad method of authentication. It opens to the door to SIM-swapping, a type of fraud in which scammers trick telecoms providers into switching the victim’s phone number to a SIM owned by the attacker.
Twitter should be familiar with the threat of SIM-swapping presents: it was used in 2019 to compromise the account of its then-CEO, Jack Dorsey. In that instance, scammers used the breach for comparatively benign purposes, blasting out a stream of offensive messages and shout-outs for their Discord channel.
But in many cases, the damage can be much worse. Attackers don’t usually broadcast their compromise so blatantly, and can instead have prolonged access to the compromised account.
This enables them to siphon off sensitive information or to use the platform to launch additional scams.
The removal of SMS-based 2FA authentication is therefore an undeniably good thing. So why isn’t Twitter leading with this? The answer is because it isn’t removing it as an authentication method at all. Premium-level subscribers can still use it.
In a pop-up message to non-paying users of the site, Twitter says: “You must remove text message two-factor authentication. Only Twitter Blue subscribers can use the text message two-factor authentication method. It’ll just take a few minutes to remove it.
“You can still use the authentication app and security methods […] To avoid losing access to Twitter, remove text message two-factor authentication by Mar 19, 2023.”
This message suggests that SMS-based two-factor authentication isn’t a security risk to either Twitter or its users but is in fact a perk that you must pay for.
Is this just about Twitter Blue?
Elon Musk has been obsessed with the profitability of Twitter since he purchased it for $44 billion last year.
He laid off almost half of the company’s workforce in his first week, he’s proposed a paywall feature for videos and there are rumours that he will introduce a plan for paid direct messages.
And, of course, there is Twitter Blue, an $8 a month (£8.40 in the UK) subscription service that offers users all the benefits they used to receive for free, such as verified status and a blue tick next to their name.
The scheme has been widely considered disastrous. Six months into the endeavour and only 180,000 people in the US are subscribed to Twitter Blue – about 0.2% of all active monthly users.
Musk’s frustration with the lack of uptake and the site’s overall inability to make money reached new heights this week, as he joked that he had purchased a “non-profit”.
The decision to migrate SMS-based authentication can only be viewed as another effort to get people to pay for basic site functionality.
Although Musk claims that the move is designed to cut down on fraudulent authentication requests, Jim Fenton, an independent identity privacy and security consultant, isn’t sure that his argument holds water.
He told Wired that the move “might very incrementally decrease Twitter’s costs by not requiring Twitter to pay some telco provider a fraction of a cent to send those SMS messages”. However, he said that the cost savings would likely be extremely minor.
The more obvious motive is to encourage users to reluctantly move over to Twitter Blue in the mistaken belief that it now offers a new benefit.
But if that’s true, why did Musk tweet that authenticator apps are more secure than SMS authentication?
He’s correct, but saying it publicly all but negates the point of putting text-message authentication behind a paywall. Why not just get rid of it altogether?
Other tech giants, such as Apple and Google, have already eliminated the option for SMS two-factor authentication, encouraging users to use an authenticator app. Meanwhile, Microsoft has gone one step further, removing passwords altogether and enabling users to login with just an authentication app.
Either way, the security risks presented by SMS login have been addressed by sunsetting it as an authentication method. Twitter’s half measure will confound anyone who knows anything about 2FA and will confuse those who don’t.
The post Twitter to Charge Users for SMS Two-Factor Authentication in Apparent Security Crackdown appeared first on IT Governance UK Blog.
