What’s Twitter doing with two factor authentication?

The simple way of protecting an account for an online service is with a password. But passwords on their own are not very secure. Which is why ‘two factor authentication’ (2FA) also exists.

For non-IT experts, that’s rather an obscure name for what is simple idea: the idea that you need to prove who you are via two different routes. That’s common in all sorts of offline scenarios too (such as for opening a bank account, where one form of identity from each of two different lists is usually asked for). For online services, it means not only knowing the password but also having possession of a physical device to do so. Hence, two factors to authenticate.

Two-factor authentication: my technological New Year's resolution

The start of 2014 provided a good prompt to get round to doing something I'd long known was wise but hadn't quite sorted: switching to using two-factor authentication. more

The basic form of this is to have possession of your mobile phone. You give your number over and then always have to have access to it to login in future. After you enter your password from then on, you then get a sent a text message with a special code which you have to also enter. No mobile phone, no successful login.

However, this form of 2FA has limitations. You need to have mobile phone with you, powered up and able to get a signal. That can cause problems if you’re in a building with coverage blackspots, or if your phone is stolen. But also text messages are a very insecure form of communication, and the ability to spoof text messages and to clone SIM cards opens up hacking opportunities.

So there’s a more advanced form of 2FA which involves either having an authenticator app on your phone or physical possession of a security key that you plug into your device. They have their practical implications too, but overall are more secure and more convenient than relying on text messaging. As long as you put the effort into getting set up, which although easy (you can get an authenticator app for free and it’s only a few steps to be up and running with it) is also a a bit of a barrier and one of the reasons why SMS 2FA is still so widespread.

However, as these methods are better, it’s also becoming more common for the SMS option to disappear as a choice, especially on financial services.

Which is where Twitter’s latest news comes in. Twitter is removing the SMS option from its free accounts, and in future SMS will only be available if you pay for Twitter Blue.

A lot of the reaction to this has been a case of more heat than light, and suggesting that people think Twitter is removing 2FA completely from free accounts. It isn’t. Rather it’s pushing people towards using a more secure option.

That would be straightforwardly good if it weren’t for two confusing factors. One is that Twitter isn’t making it mandatory to use some form of 2FA (unlike, say, my bank which does make this a requirement). So a reasonable fear is that some people will downgrade from SMS 2FA to no 2FA.

The other confusing factor is that decision of Twitter to let people carry on using the SMS option if they pay-up for a Blue account:

That makes it easy to think there’s a degree of bad faith behind this move, trying to use the presence of an additional (even if inferior) security option as a hook to get people to pay up money.

But regardless of the motivation, the overall solution for Twitter users is a simple one: you should be using 2FA and you shouldn’t be doing that via SMS.

So whatever Twitter’s motivations, the best response to this move on their part is one that benefits you: upgrade your security away from relying on SMS. Don’t turn off 2FA but upgrade it (and especially if you use Twitter for politics, as it’s not a good idea to make it easy for hackers to embarrass you.)

I use the Authy as an alternative to SMS for two factor authentication. It’s free, widely used and highly rated by security experts. It allows you to back-up all your setting so that you can use Authy on more than one device and also have a backup in case of your phone being stolen or lost. That slightly reduces the security of using it in return for the extra convenience. Oh crumbs, do some security experts like arguing over the pros and cons of that. If you’d rather not have that combination you can either use Authy without turning on this feature or use one of the other free and highly rated authenticator apps, such as those from Google and Microsoft.

Sign up to get the latest news and analysis

"*" indicates required fields

What would you like to receive?*
If you submit this form, your data will be used in line with the privacy policy here to update you on the topic(s) selected. This may including using this data to contact you via a variety of digital channels.
This field is for validation purposes and should be left unchanged.

Leave a Reply

Your email address will not be published. Required fields are marked *

All comments and data you submit with them will be handled in line with the privacy and moderation policies.