The change doesn’t seem to make sense
Two Day Twitter Outage: Why We Are Getting More Users and Less Protected from Asymptotic Authentication Codes?
Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. Since the weekend, users have been self reporting issues on Twitpic, and WIRED confirmed that some accounts are hours delayed or not getting any texts at all. More than 3,700 people were laid off by the company less than two weeks ago. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin trying to adapt and build new features on top of the new owner’s agenda.
Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Musk said publicly that he is disabling some parts of the platform. There will be some part of today that will be turning off the bloatware. “Less than 20 percent are actually needed for Twitter to work!”
“Temporary outage of multifactor authentication could have the effect of locking people out of their accounts. But the even more concerning worry is that it will encourage users to just disable multifactor authentication altogether, which makes them less safe,” says Kenneth White, codirector of the Open Crypto Audit Project and a longtime security engineer. It’s not clear who caused the issue but it could be large-scale changes to the web services that have been announced.
Twitter Blue: Why Two-Factor Authentication Is Necessary for Secure Communication on Social Networks and Mobile Devices
Twitter’s two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.
Two-factor security is not guaranteed because attackers can hijack targets phone numbers or intercept texts. But security experts have long emphasized that using SMS two-factor is significantly better than not having a second authentication factor enabled at all.