Twitter’s changes to user security settings surrounding two-factor authentication are a “desperate attempt” to save the company money rather than protect users, a cybersecurity expert has claimed.
Graham Cluley said Twitter’s decision to only allow paying subscribers to the Twitter Blue program to use a text message to verify their identity when logging into the site would “less protect many users”.
Over the weekend, Twitter users received a message telling them that SMS-based two-factor authentication (2FA) has been moved to the Twitter Blue subscription – and that anyone who doesn’t want to join the monthly subscription can use the Stop using subscription may lose security or access to Twitter.
The company said the new policy would go into effect on March 20.
Two-factor authentication is a security feature designed to make online accounts more secure by requiring users to verify who they’re using after entering their username and password with a second sign-in method.
Currently, Twitter users can opt-in to receive an automatically generated text message with a code sent to the phone number associated with their account and use that code to complete their signup.
But users have now received a message telling them that “you need to remove two-factor authentication for text messages” and instead have been prompted to choose another method, e.g. a physical security key plugged into a user’s device or an authenticator app.
Mr Cluley said while it was true that other forms of 2FA were more secure than text messaging, Twitter’s approach to the change was questionable.
“Yes, authenticator apps and hardware keys are a more secure way to protect your account than SMS-based 2FA … but Twitter is doing this in a desperate bid to save money, NOT to improve security for its users,” he said tweeted in response to the change.
“Many users will be less protected than before.”
Other commenters said that while it’s better to try and move users away from text message-based 2FA, Twitter’s approach could cause confusion among users who aren’t cybersecurity professionals and are aware of the different forms of 2FA.
Twitter owner Elon Musk defended the decision (Brian Lawless/PA)
Javvad Malik, senior security awareness attorney at cybersecurity firm KnowBe4, said Twitter’s announcement sent “mixed messages”.
“On the one hand, restricting SMS as a second authentication mechanism due to its weaknesses and the ability of criminals to manipulate users with social engineers is a positive step,” he said.
“On the other hand, by making it available to paid Twitter Blue subscribers, it gives the impression that this is a premium security feature, which is not the case.
“From a technical point of view, using alternative 2FA methods, such as B. using an authenticator app, more secure than 2FA. But we have an educational issue where most people are still not too familiar with how these options work or how to activate them.
“Therefore, what we’re seeing here isn’t necessarily a technical security issue — it’s more of a usability and training issue, one where it’s important to design security controls to make the user experience smooth while improving security.”
In response, Twitter owner Elon Musk defended the decision, claiming that the platform is “scammed out of millions of dollars by phone companies” every year through “fake” 2FA text messages.
And in a blog post on the subject, Twitter said, “While historically a popular form of 2FA, unfortunately we’ve seen phone number-based 2FA being used – and abused – by bad actors.”
Don’t miss interesting posts on Famousbio