Thursday, November 21, 2024

Tech News, analysis, updates, comments, reviews

Why I think Twitter’s restriction of SMS Authentication is good

Twitter just announced that they are limiting the use of text messages for two-factor authentication to only their Twitter Blue subscribers. I think that this will have a trickle down effect in all aspects of online security, not only on Twitter, but also in the whole Internet. Let me explain!

First, the basics

Two-factor authentication (2fa), is an extra layer in the authentication mechanisms for online accounts, that extends the usual username and password combination.

For instance, in this case, to log in to Twitter, you need to provide your username or email, combined with your password to access your account. This applies to almost every online account. This means that is a malicious actor got access to these two pieces of information, they could access your account.

By adding 2FA to your account, you’d need another piece of the puzzle to access your account, even after providing your username and password. For most users, this other piece of the puzzle has been an SMS with a code. After providing your username and password, you then enter this code and you get access to your account.

The 2FA adds a layer of security, in that even if someone has your username and password, they cannot access your account since they do not have access to your phone.

The other two methods supported by Twitter are:

  • Authenticator App – This is an app, for example Microsoft Authenticator of Google Authenticator that generates a random time-sensitive code or push notifications that users can then user in place of, as in our example above, the SMS code. The codes are random and change frequently, meaning they are virtually impossible to break.
  • Security Key – This is a small physical device used for additional security next to your password and is considered to be one of the most secure ways of two-factor authentication (2FA). Most Security Keys are very simple to use and you only need to touch or tap a button while it is plugged into the USB port of your device.

The scope of these other two are outside the goal of this post, so I’ll leave that out for now.

Is SMS insecure then?

SMS as a method for 2FA actually stops up to 76% of attacks. It is the least secure of the three 2FA methods. This is partly due to four reasons:

  • Spoofing/Phishing – it is a well known fact in the security community that the security of phone networks and phone companies is notoriously easy to access. These are the networks relied upon by SMS messages used for 2FA. If an attacker compromises these networks, they can then read your 2FA codes in plaintext, especially since most of then are not encrypted.
  • SIM Swapping – this is usually a bit more sophisticated than spoofing, but once an attacker goes through with it, they have the keys to the kingdom here. We are talking your entire phone number. This article by Vice shows exactly how much havoc a hacker can unleash in a small amount of time.
  • Social Engineering – Hackers can also simply pretend to be you to your mobile service provider. They obtain personal information from other sources to bypass any security questions and request a secondary SIM (they’ll claim the old one was lost, stolen, etc.). Then, they intercept the shipment of the new SIM. Once you lose service on your own SIM, your number is under the control of the hacker, and they can request new SMS 2FA codes at will. It’s low-tech, but highly effective.Another very low-tech but time-tested method is getting close enough to get a look at your phone. If you’ve enabled lock screen notifications, it’s all too easy to peak at passwords sent by SMS.

Do you then even need 2FA?

Yes!

In addition to creating strong passwords and using different passwords for each of your accounts, setting up 2FA is the best move you can make to secure your online accounts — even if you insist on receiving codes via SMS. Don’t be the low-hanging fruit with an account that is the easiest target for hackers.

2 COMMENTS

  1. I loved even more than you will get done right here. The picture is nice, and your writing is stylish, but you seem to be rushing through it, and I think you should give it again soon. I’ll probably do that again and again if you protect this hike.

  2. I do not even know how I ended up here but I thought this post was great I dont know who you are but definitely youre going to a famous blogger if you arent already Cheers

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Get notified whenever we post something new!

spot_img

Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Concerns about the ICT Bill 2024 in Kenya

THis post has been updated after the attention it is gannering. The original post can be found here: https://web.archive.org/web/20240813033032/https://blog.blancorpsolutions.com/kenya/concerns-about-the-ict-bill-2024-in-kenya/ Kenya's tech industry has been a beacon of innovation and growth, thanks in part to a regulatory environment that has allowed...

What are the real intentions of tracking IMEI numbers?

Imagine if you had a magic map that could show you where all your favorite toys were at any time. Sounds pretty? Well, in Kenya, the government wants to do something similar, but with people’s phones. They plan to...

The Tor Project + Tails, A Game-Changing Merger for Privacy Advocates

In a significant development for digital privacy enthusiasts, the Tor Project and Tails have merged their operations, uniting two of the most trusted tools in the fight against online surveillance. This merger, announced this month, combines the power of...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.