What to do after Twitter eliminates SMS 2FA for non-Blue users?
February 23rd, 2023 - Written By CyberLabs
On 15th Feburary 2022, Twitter on a blog post said “Phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.”
Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages
— Elon Musk (@elonmusk) February 18, 2023
Users of SMS-based two-factor authentication who are not using Twitter Blue have until March 20, 2023, to switch to a different two-factor authentication technique, according to Twitter.
The most recent regulation is probably forcing people to switch to secure forms of authentication because SMS has consistently been the least secure form of 2FA.
Only 2.6% of all active accounts on Twitter have at least one type of 2FA activated, according to Twitter’s own statistics. SMS makes up 74.4% of all transactions, led by authenticator applications (28.9%) and security keys (0.5%).
How to switch to a different technique?
-
Security key
Security key, like a Google Titan or Yubikey, is a compact device with USB or NFC connectivity. As physical objects that must be plugged into a computer and in your possession in order to log you into your account, they are thought to be the safest.
Therefore, even if someone steals your 2FA tokens, whether through sophisticated adversary-in-the-middle phishing attacks or SIM swapping attacks, they cannot circumvent 2FA if they obtain access to your credentials.
-
Authenticator App
You can use the authentication app such as Google Authenticator, Microsoft Authenticator, and Authy to scan a QR code that the website will show. After being scanned, the website will be recorded in the app to produce the 2FA codes needed to log into your account on another website. In the event that a threat actor obtains your login information, they will be unable to register in because they lack access to the code generated by your mobile app.
The issue with authenticator applications is that if you misplace your phone, you also lose access to your 2FA codes, which makes regaining access to websites challenging and time-consuming. The ability to back up your 2FA preferences to the cloud is offered by Authy and Microsoft Authenticator, however, so you can restore your 2FA settings if necessary.
Source
- https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter
- https://www.bleepingcomputer.com/news/security/twitter-gets-rid-of-sms-2fa-for-non-blue-members-what-you-need-to-do/