Identity, Application security

Cyber leaders mock Twitter decision to yank 2FA for non-subscribers

Twitter HQ

Twitter quietly announced plans last week that it would remove two-factor authentication for all unpaid accounts in an effort, it says, to reduce abuse of phone-based 2FA by threat actors.

“To date, we’ve offered three methods of 2FA … unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors,” officials said in the announcement. “Starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

Twitter is giving non-subscribers already enrolled in the 2FA phone-based method just 30 days to disable it and enroll in another authentication method. After March 20, all non-paid-subscribers will not be allowed to use text messages as a 2FA method.

What’s more, Twitter intends to disable all accounts with text message 2FA still enabled at that time. Officials are encouraging non-subscribers to use an authentication app or another security key instead.

The action, unsurprisingly, has led to pages of jokes and outright rage, all while suggesting the move was to coerce users into paying for the once all-important blue-check feature. The vast majority of users, however, aren’t budging, instead detailing just how this move will provide easy access to hackers.

“So courageous of Elon Musk to wait for a Friday night to announce he’s dismantling the most basic of security measures for anyone who doesn’t pay $8 a month,” said Nicole Perlroth, author and former New York Times digital espionage and sabotage reporter, on Twitter. “Time to expand the FTC Safeguards Rule to social media platforms. What a joke.”

In over two dozen statements, users are all taking the shift as a form of bribery: “Pay us or you will be phished,” “Next up you can only change your password once annually unless you have Twitter Blue,” and “Why is he making the least secure 2fa method paid?” Tweets are from Peter Yared, Thomas Maxwell, and Ketan Joshi, respectively.

To summarize, “OLD: Everybody pays $8 for awesome new features, bells and whistles, & the best Twitter experience ever! NEW: Pay $11 or your account gets hacked, jerkface,” wrote Aaron Rupar, independent journalist.

Indeed, it was just last month that John Riggi, the American Hospital Association’s senior advisor for cybersecurity and risk, chided entities for not leveraging multi-factor authentication under the current landscape.

“It would be hard to defend both civilly and regulatory the actions against you as it is a very, very basic technique at this point,” Riggi noted at January’s University of California San Francisco Stanford Center of Excellence in Regulatory Science and Innovation discussion. “The White House has implored us to implement basic cybersecurity procedures, which alone, at a very low cost, could prevent a significant portion of ransomware attacks.

In a statement to SC Media, Andy Kays, Socura CEO, warned the move will be “Christmas come early for fraudsters.” While SMS 2FA has flaws, it remains a “security feature of huge value given its widespread popularity among users. As individuals are often the prime driver of successful hacks, use of any security feature should be viewed as a positive measure.

Clearly something is better than nothing, particularly for “less tech-savvy social media users” that will likely be harmed the most by the shift. Kays added that “most people will switch from using SMS 2FA to using no form of 2FA whatsoever. They will be far less secure as a result, and a prime target for fraudsters, cybercriminals, and identity thieves.”

While the hope is that perhaps users will shift to a more universal authentication app, Kays stressed that “users should have been encouraged to switch at their own free will over a period of time, not forced to do so.”

One look at the responses from cybersecurity leaders still leveraging the platform gives a clear picture of just how this shift is being taken — and aligns with Kays’ sentiments.

As one leading independent journalist Brian Tyler Cohen put it: “I’d imagine that a good way to get users not to use Twitter is to make it markedly less secure.”

As Twitter is already facing a number of regulatory inquiries, it’s unclear how this new plan will work out for its embattled CEO Elon Musk. What is obvious is that Twitter users will once again be forced to adapt or be markedly less secure.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.