The popularity of the two-factor account is waning
How Safe Should Twitter Be? Why 2FA is Misused and Improperly Used by Bad Actors on Twitter? Comment on Musk’s Tweet
“While historically a popular form of 2FA, unfortunately, we have seen phone-number based 2FA be used—and abused—by bad actors,” Twitter wrote in a blog post published yesterday evening. Unless you’re a follower oftweet blue, you will not be allowed to enroll in the text message/SMS method of 2FA.
Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Musk said in public that he was disabling some parts of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he tweeted this morning. “Less than 20 percent are actually needed for Twitter to work!”
“Temporary outage of multifactor authentication could have the effect of locking people out of their accounts. But the even more concerning worry is that it will encourage users to just disable multifactor authentication altogether, which makes them less safe,” says Kenneth White, codirector of the Open Crypto Audit Project and a longtime security engineer. “It’s hard to say exactly what caused the issue that so many people are reporting, but it certainly could result from large-scale changes to the web services that have been announced.”
The Twitter Blue app isn’t available in the UK if you’re in the U.S., or is it banned from the Twitter app store?
It’s $11 a month in the U.S. for the service on mobile devices. It costs $8 per month for web users. Users have until 30 days to sign up, or they will see their two-factor (2FA) turned off.
Two-factor validity is not secure because attackers can access phone numbers or intercept text messages. Security experts have always been of the opinion that using an electronic two-factor is better than not having one at all.
According to the company, “disabling text message 2FA does not automatically disassociate your phone number from your account,” but others say it does put user security at risk.
This announced change to the platform is just the latest in a series of decisions causing serious upheaval at the social media company following Elon Musk’s takeover last year.
Twitter says the reason for this move is due to phone number-based two-factor authentication being “abused by bad actors.” Many users are concerned about the implications of the planned move.
In an email to NPR, she called this decision another one of Musk’s “chaotic moves.” She has been critical of recent actions by Twitter following Musk’s takeover of the company.
Gavan Reilly, a reporter in Ireland, tweeted that Twitter Blue isn’t even available in his country yet, “so there is literally no option to maintain the current choice of security.”
“Yeah, it’s great to encourage people to use an authenticator app, but what if the government blocks it, criminalizes it, or it’s banned from the app store?” she asked.
And there are apps, like Duo, that won’t work in certain countries if a user’s IP address originates in a region sanctioned by the the U.S., including Cuba, Iran, Syria, and areas in Ukraine controlled by Russian forces.
Why is a 2 factor authentication code better than nothing? “It’s a simple attack that’s been used to attack a cell phone company pretending to be you”
She said it’s one of the least secure measures to use and that it is considered better than nothing. That’s “because of a relatively simple attack called a ‘sim swap’ that has become more and more common.”
This is when “an attacker calls your cell phone company pretending to be you and convinces them to transfer your phone number to a new device, then sends the 2 factor authentication code” to themselves, she said.