{"id":610414,"date":"2023-02-21T07:49:04","date_gmt":"2023-02-21T13:49:04","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/02\/21\/twitter-2fa-changes-bring-more-risks-than-benefits\/"},"modified":"2023-02-21T07:49:04","modified_gmt":"2023-02-21T13:49:04","slug":"twitter-2fa-changes-bring-more-risks-than-benefits","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/02\/21\/twitter-2fa-changes-bring-more-risks-than-benefits\/","title":{"rendered":"Twitter 2FA changes bring more risks than benefits"},"content":{"rendered":"<div id=\"content-header\">\n<h2>Twitter\u2019s approach to nudging users away from insecure SMS-based 2FA is being questioned over its logic<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>20 Feb 2023 14:15<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Security experts are unanimous that using SMS-based <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/two-factor-authentication\">two-factor authentication<\/a> (2FA) is insecure and puts users at risk of compromise \u2013 SMS-based communications are too easily intercepted or redirected by malicious actors in so-called <a href=\"https:\/\/www.techtarget.com\/whatis\/definition\/SIM-swap-attack-SIM-intercept-attack\">SIM swapping attacks<\/a>, and the time to move away from this outdated and unsafe technology has long since passed.<\/p>\n<p>So if one accepts Twitter\u2019s announcement that it plans <a href=\"https:\/\/blog.twitter.com\/en_us\/topics\/product\/2023\/an-update-on-two-factor-authentication-using-sms-on-twitter\">to remove SMS-based 2FA<\/a> as an option for non-paying users on 20 March 2023 at face value, it is easy to read it as an entirely sensible and reasonable attempt to nudge users towards more secure MFA options, such as the use of a mobile application or a physical security key. It seems like a logical decision.<\/p>\n<p>But it is no longer clear if Twitter is taking decisions on a logical basis; the social media platform has been plagued by <a href=\"https:\/\/www.techtarget.com\/searchcustomerexperience\/news\/252526670\/How-Musks-Twitter-takeover-could-affect-business-accounts\">a myriad of problems<\/a>, many of them <a href=\"https:\/\/www.computerweekly.com\/news\/252527432\/Is-Elon-Musks-Twitter-safe-and-should-you-stop-using-it\">cyber security and compliance issues<\/a>, since its takeover by erratic billionaire Elon Musk in 2022.<\/p>\n<p>Many of these issues are widely thought to have been caused by Musk\u2019s tendency to make spur-of-the-moment decisions on a whim, and there is some suggestion that this latest policy change may be one such decision, made to address one specific problem \u2013 possibly the expense of offering SMS 2FA \u2013 but without thought to the wider ramifications.<\/p>\n<p>For one thing, the decision to allow paying users to retain the ability to use an insecure authentication method as a premium feature makes no sense, and nor has Twitter done anything to incentivise users to start paying for its premium \u201cBlue\u201d tier.<\/p>\n<p>As such, said Andy Kays, CEO of <a href=\"https:\/\/socura.co.uk\/\">Socura<\/a>, a supplier of managed detection and response (MDR) services, it will shortly be \u201cChristmas come early\u201d for fraudsters.<\/p>\n<p>Everyone knows SMS-based 2FA has its flaws, explained Kays, but because it is easier \u2013 and usually cheaper \u2013 to use, it has become a security feature of great value to the lay population.<\/p>\n<p>\u201cIn the short term, the removal of 2FA could be harmful, especially among less tech-savvy social media users,\u201d said Kays. \u201cMost people will switch from using SMS 2FA to using no form of 2FA whatsoever. They will be far less secure as a result, and a prime target for fraudsters, cyber criminals and identity thieves.\u201d<\/p>\n<p>\u201cIn the long term, we can only hope that this move is the catalyst for universal authentic app adoption. It is true that authenticator apps are a much better form of 2FA, but users should have been encouraged to switch at their own free will over a period of time, not forced to do so,\u201d he said.<\/p>\n<p>Alexander Heid, chief research and development officer at security rating specialist <a href=\"https:\/\/securityscorecard.com\/\">SecurityScorecard<\/a>, said: \u201cWhen SMS-based 2FA is disabled on 20 March, there may be a small percentage of non-paying users experience account takeovers if they have been reusing passwords that are circulating on public data breaches and relying solely on SMS-based 2FA to keep their account secure.<\/p>\n<p>\u201cIf a person is in the habit of reusing old passwords, it is advised to change your password regardless of the 20 March switchover.<\/p>\n<p>However, he added: \u201cIt has been reported that <a href=\"https:\/\/transparency.twitter.com\/en\/reports\/account-security.html#2021-jul-dec\">only 2.6% of Twitter users make use of 2FA<\/a> \u2013 so only a small portion of overall Twitter users will be impacted by these changes.\u201d<\/p>\n<section data-menu-title=\"Alternative options\">\n<h3><i data-icon=\"1\"><\/i>Alternative options<\/h3>\n<p>If you are currently using SMS-based 2FA to log in to Twitter and would prefer not to be made to pay to retain the use of an insecure service, Twitter will continue to make two other options available, both of which are worth considering.<\/p>\n<p>The most secure 2FA option for Twitter is <a href=\"https:\/\/uk.pcmag.com\/security\/136832\/the-best-security-keys-for-multi-factor-authentication\">a physical security key<\/a> \u2013 such as Yubikey by Yubico or Google Titan \u2013 a small device that connects to your computer, either via the USB port or wireless connectivity, to generate a one-time passcode (OTP) that you can then use to log in to the service.<\/p>\n<p>Physical keys are considered highly secure because they must be in your possession, and cannot be easily bypassed should a cyber criminal have compromised your Twitter credentials.<\/p>\n<p><a href=\"https:\/\/uk.pcmag.com\/security\/133038\/the-best-authenticator-apps\">An authenticator application<\/a> \u2013 such as Authy by Twilio, Google Authenticator or LastPass \u2013 works on a similar principle but generates codes on your mobile device that you can use when you log in to Twitter.<\/p>\n<p>Such apps still provides a decent level of protection should your credentials have been compromised somehow, but are vulnerable if your mobile is stolen and impractical if your mobile is lost.<\/p>\n<\/section>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Identity and access management products<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252527316\/Twitter-users-experience-apparent-SMS-2FA-disruption\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/keys_a133225231_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/keys_a133225231_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/keys_a133225231.jpg 1280w\" alt ><\/p>\n<h5>Twitter users experience apparent SMS 2FA disruption<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/culafi_alexander.jpg\" alt=\"AlexanderCulafi\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alexander\u00a0Culafi<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.techtarget.com\/searchcustomerexperience\/news\/252526670\/How-Musks-Twitter-takeover-could-affect-business-accounts\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/keys_a150731005_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/keys_a150731005_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/keys_a150731005.jpg 1280w\" alt ><\/p>\n<h5>How Musk&#8217;s Twitter takeover could affect business accounts<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/botelho_bridget.jpg\" alt=\"BridgetBotelho\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Bridget\u00a0Botelho<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/opinion\/How-to-protect-against-SMS-mobile-security-weakness\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/searchMobileComputing\/mobile_security\/mobilecomputing_article_014_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/searchMobileComputing\/mobile_security\/mobilecomputing_article_014_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/searchMobileComputing\/mobile_security\/mobilecomputing_article_014.jpg 1280w\" alt ><\/p>\n<h5>How to protect against SMS mobile security weakness<\/h5>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.techtarget.com\/searchcio\/news\/252516452\/Elon-Musk-poised-to-disrupt-social-media-industry\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/chatbot_g1132487500_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/chatbot_g1132487500_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/chatbot_g1132487500.jpg 1280w\" alt ><\/p>\n<h5>Elon Musk poised to disrupt social media industry<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/holland_makenzie.jpg\" alt=\"MakenzieHolland\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Makenzie\u00a0Holland<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365531305\/Twitter-2FA-changes-bring-more-risks-than-benefits\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Elida Klemp<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Twitter\u2019s approach to nudging users away from insecure SMS-based 2FA is being questioned over its logic By Alex Scroxton, Security Editor Published: 20 Feb 2023 14:15 Security experts are unanimous that using SMS-based two-factor authentication (2FA) is insecure and puts users at risk of compromise \u2013 SMS-based communications are too easily intercepted or redirected by<\/p>\n","protected":false},"author":1,"featured_media":610415,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2138,46,687],"tags":[],"class_list":{"0":"post-610414","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-changes","8":"category-technology","9":"category-twitter"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/610414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=610414"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/610414\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/610415"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=610414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=610414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=610414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}