Twitter removing basic safety feature for non-Blue users: Concerns and alternatives

Online security experts have criticised Twitter’s latest step to remove SMS-based authentication for a large section of its users, and have called for regulatory scrutiny over the move.

Why Twitter is removing SMS authentication

The narrative that Musk-led Twitter is trying to establish about shelving SMS-based two-factor authentication seems inconsistent. In a blog post, the company said that “phone-number based 2FA be used – and abused – by bad actors”. However, in the same breath, it added that only Twitter Blue users – a subscription priced at around Rs 900 per month in India – will be allowed to use the safety feature.

It is unclear why Twitter would allow a section of its users – who pay a monthly fee for essentially buying a verification mark – to have access to a safety feature which the company says is abused by bad actors.

In fact, Twitter’s own data shows that SMS-based authentication is the most popular way for users to secure their account, presumably because of its convenience. According to the company’s last transparency report, around 2.6 per cent of active Twitter users had enabled two-factor authentication, of which more than 74 per cent opted for SMS-based authentication.

Musk, who fired nearly half of the company he bought in October last year, also hinted that the move could be yet another cost-cutting exercise. Responding to a user’s tweet on the new policy, he said, “Telcos Used Bot Accounts to Pump 2FA (two-factor authentication) SMS,” and that the company was losing $60 million (roughly Rs. 490 crore) a year “on scam SMS”.

The backlash

Experts have labelled Twitter’s move as “blackmail” and “dumb” and have called for regulatory intervention, including Congressional hearings in the US.

John Scott-Railton, the senior researcher at the University of Toronto-based think tank Citizen Lab, said that Twitter’s move will give “hackers a huge gift”. “Expect waves of takeovers as hackers run through password dumps…You don’t make users more secure by unilaterally degrading their security, then hoping they do better. Security is a ratcheting process. If Twitter goes ahead with this, they absolutely deserve regulatory & Congressional scrutiny,” he added.

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, said that the move could nudge users to turn off two-factor authentication altogether. “This is extremely dumb and it hurts me. Obviously, the right move here is to switch to an authentication app or a security key for your 2FA, but I suspect that most people will just turn 2FA off,” she said in a tweet.

The alternatives to SMS authentication

It is important to note that SMS-based two-factor authentication is not the safest method to secure an account. SMS messages are not encrypted and as a result, one-time passwords generated through text messages are susceptible to hacking through various methods. Attackers can also clone or swap a user’s SIM cards to access OTPs. However, it is much safer, and perhaps the easiest way to secure an account compared to a basic login through a simple password, which according to Twitter’s data is what a significant majority of its users are currently doing.

Apart from SMS authentication, there are two other – and far more secure – ways of enabling two-factor authentication on Twitter. One is to use a third-party authenticator app, and the other is to use a physical security key. The former is used by close to 29 per cent of the users who have enabled 2FA, and the latter is used by only 0.5 per cent of them.

The next easiest way to enable 2FA is to use Google’s authenticator app, which is available both on Android and iOS. Once a user has selected 2FA using an authenticator app, they need to log-in to their account through the web after which it will generate a QR code. They then need to scan this QR code through their authenticator app on the phone after which it will generate security codes for logging in.

One thing to keep in mind here is that when you set up 2FA using an authenticator app, it will generate a backup key. This is to be used for times when you may not have your phone handy and have to log in to your account. So keep the backup code safe and handy.