Identity, Application security, Privacy

What should Musk do to better secure Twitter users after 2FA goes away?

Twitter bird seen on its headquarters

In just two weeks, the ban on SMS two-factor authentication for non-subscribers on Twitter will go into effect, a move blasted by the majority of the security community.

While Twitter CEO Elon Musk has defended the move as a way to protect user security, most leaders aren’t buying it.

“Just from a purely pragmatic standpoint, this is basically stripping away the lowest threshold of 2FA out there without any sort of viable or easy replacement,” Andrew Shikiar, executive director of the FIDO Alliance, told SC Media.

SMS OTP has the benefit of being easy to use and without the need for users to set up an authenticator, all while bolstering password-only accounts. But the tool has a host of drawbacks, including an increased attack surface, the ability to be spoofed, and its codes are sent in plain text, just to name a few.

Twitter’s decision to ban the authenticator without payment led to outright mockery on its own platform, with many calling it a potential holiday for hackers.

Not only will it make users less secure, Shikiar said it's unnecessary. Just because there may “be a business model behind it,” hidden behind the guise of innovation, does not make it the most cost-effective model. Standardizing remote ID identity verification, at a minimum, would be a better example of a shift that would actually lower costs, Shikiar said.

The laundry list of possible negative impacts of the controversial move is substantial, but there are a handful of positives: namely, that the company is working to move users away from SMS one-time password authentication. 

However, no one is defending the inherent vulnerabilities of OTP, as it’s a risky authenticator that doesn’t really prevent account takeovers, Shikiar explained.

Had Twitter announced a secondary solution, or provided users with education around viable alternatives, the shift would have been less controversial and supported Musk’s assertion that it was meant to protect user security — all while shutting down claims it was a cost-cutting effort in the face of mounting financial woes facing the company.

“But for the mainstream consumer audience, SMS OTP is better than a password alone, and it will thwart the vast majority of attacks,” said Shikiar. SMS OTP is not sufficient for all users, but it “has the advantage of ubiquity,” meaning basically anyone can use the tool to strengthen the security of their account, which will be, as of March 20, only protected by password.

Because, without understanding the need or function of alternatives, not every user will have a security key or download a personal OTP when the SMS OTP ban goes into effect, Shikiar explained. The ban will essentially lower the number of users employing 2FA to access their accounts.

What would be a better approach for Twitter to replace 2FA?

Twitter, and other companies considering a similar security shift for users, would have been to detail the reasons for the change-up and possible, more secure options that users can, and should, use to keep their accounts secure.

For example, accompanying the SMS OTP ban with the use of passkeys to support mobile users. As Shikiar sees it, Twitter could have told users that they’re removing OTP but educating users on passkeys, which are safer and built into Android and iOS devices.

Without doing so, Twitter’s move is “a missed opportunity,” said Shikiar. Passkeys aren’t expensive, and “good pass keys are an unphishable primary factor for user authentication.” Using the authenticator makes it a “much simpler user experience.”

And with passkeys, the company could still save money and keep users secure. It wouldn’t be “beautiful, but it’s functional,” Shikiar said. "Twitter could also use the shift to educate users on how to use passkeys, which to me, would have been a much better approach.”

With passkeys, companies now have a consumer-ready method of authentication. “It’s a whole new paradigm,” he continued. “We need to rethink the way we look at authentication,” in all its different layers that are essentially “Band-Aids on the fundamentally flawed first factor authentication.”

Another alternative shared by Apple Software Engineer Ricky Mondello would have been to offer users email OTP in a step-like progression to slowly shift users into an alternative authentication method, before the final step to passkeys. In this way, Twitter could have leveraged the functionality built into mobile devices with a small amount of engineering.

In a personal blog post, Mondello reaffirmed the real problems around cost and fraud brought on by SMS. During his tenure in the industry, Mondello has seen several organizations “looking to reduce costs around sending text messages, and the costs they’ve cited have been significant.”

But none of those businesses opted to “charge for the privilege, especially after it had been a baseline feature of the service,” they wrote. Instead, if security were truly the driving force, Twitter would move to passkeys — replacements for passwords and the crux of the vast majority of security risks.

“Passwords are the problem — that's the first factor,” said Shikiar. “That's why we need to have 2FA and multi-factors. And if you get rid of passwords as the primary factor, all of a sudden the conversation changes.”

The industry or large consumer service providers “must embrace and extoll the virtues of this better form authentication," he continued. “There's no doubt in my mind, this is happening. But Twitter missed what would have been a good opportunity for them and a nice boost for consumer authentication at large.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.