Why I think Twitter’s restriction of SMS Authentication is good

Twitter just announced that they are limiting the use of text messages for two-factor authentication to only their Twitter Blue subscribers. I think that this will have a trickle down effect in all aspects of online security, not only on Twitter, but also in the whole Internet. Let me explain!

First, the basics

Two-factor authentication (2fa), is an extra layer in the authentication mechanisms for online accounts, that extends the usual username and password combination.

For instance, in this case, to log in to Twitter, you need to provide your username or email, combined with your password to access your account. This applies to almost every online account. This means that is a malicious actor got access to these two pieces of information, they could access your account.

By adding 2FA to your account, you’d need another piece of the puzzle to access your account, even after providing your username and password. For most users, this other piece of the puzzle has been an SMS with a code. After providing your username and password, you then enter this code and you get access to your account.

The 2FA adds a layer of security, in that even if someone has your username and password, they cannot access your account since they do not have access to your phone.

The other two methods supported by Twitter are:

  • Authenticator App – This is an app, for example Microsoft Authenticator of Google Authenticator that generates a random time-sensitive code or push notifications that users can then user in place of, as in our example above, the SMS code. The codes are random and change frequently, meaning they are virtually impossible to break.
  • Security Key – This is a small physical device used for additional security next to your password and is considered to be one of the most secure ways of two-factor authentication (2FA). Most Security Keys are very simple to use and you only need to touch or tap a button while it is plugged into the USB port of your device.

The scope of these other two are outside the goal of this post, so I’ll leave that out for now.

Is SMS insecure then?

SMS as a method for 2FA actually stops up to 76% of attacks. It is the least secure of the three 2FA methods. This is partly due to four reasons:

  • Spoofing/Phishing – it is a well known fact in the security community that the security of phone networks and phone companies is notoriously easy to access. These are the networks relied upon by SMS messages used for 2FA. If an attacker compromises these networks, they can then read your 2FA codes in plaintext, especially since most of then are not encrypted.
  • SIM Swapping – this is usually a bit more sophisticated than spoofing, but once an attacker goes through with it, they have the keys to the kingdom here. We are talking your entire phone number. This article by Vice shows exactly how much havoc a hacker can unleash in a small amount of time.
  • Social Engineering – Hackers can also simply pretend to be you to your mobile service provider. They obtain personal information from other sources to bypass any security questions and request a secondary SIM (they’ll claim the old one was lost, stolen, etc.). Then, they intercept the shipment of the new SIM. Once you lose service on your own SIM, your number is under the control of the hacker, and they can request new SMS 2FA codes at will. It’s low-tech, but highly effective.Another very low-tech but time-tested method is getting close enough to get a look at your phone. If you’ve enabled lock screen notifications, it’s all too easy to peak at passwords sent by SMS.

Do you then even need 2FA?

Yes!

In addition to creating strong passwords and using different passwords for each of your accounts, setting up 2FA is the best move you can make to secure your online accounts — even if you insist on receiving codes via SMS. Don’t be the low-hanging fruit with an account that is the easiest target for hackers.

Hot this week

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Topics

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Why API Security Is Your Biggest Unseen Threat Right Now

APIs handle most web traffic but receive minimal security attention, creating massive unseen risks that traditional web security tools completely miss.

Security Teams Are Asking the Wrong Questions About AI

Banning AI tools is a failing strategy that creates shadow IT. Security teams must pivot to enabling safe usage through approved tools, clear guidelines, and employee training.

The Illusion of Secure by Default in Modern Cloud Services

Moving to the cloud does not automatically make you secure. Default configurations often create significant risks that organizations must actively address through proper tools and processes.
spot_img

Related Articles

Popular Categories