Why I think Twitter’s restriction of SMS Authentication is good

Twitter just announced that they are limiting the use of text messages for two-factor authentication to only their Twitter Blue subscribers. I think that this will have a trickle down effect in all aspects of online security, not only on Twitter, but also in the whole Internet. Let me explain!

First, the basics

Two-factor authentication (2fa), is an extra layer in the authentication mechanisms for online accounts, that extends the usual username and password combination.

For instance, in this case, to log in to Twitter, you need to provide your username or email, combined with your password to access your account. This applies to almost every online account. This means that is a malicious actor got access to these two pieces of information, they could access your account.

By adding 2FA to your account, you’d need another piece of the puzzle to access your account, even after providing your username and password. For most users, this other piece of the puzzle has been an SMS with a code. After providing your username and password, you then enter this code and you get access to your account.

The 2FA adds a layer of security, in that even if someone has your username and password, they cannot access your account since they do not have access to your phone.

The other two methods supported by Twitter are:

• Authenticator App – This is an app, for example Microsoft Authenticator of Google Authenticator that generates a random time-sensitive code or push notifications that users can then user in place of, as in our example above, the SMS code. The codes are random and change frequently, meaning they are virtually impossible to break.
• Security Key – This is a small physical device used for additional security next to your password and is considered to be one of the most secure ways of two-factor authentication (2FA). Most Security Keys are very simple to use and you only need to touch or tap a button while it is plugged into the USB port of your device.

The scope of these other two are outside the goal of this post, so I’ll leave that out for now.

Is SMS insecure then?

SMS as a method for 2FA actually stops up to 76% of attacks. It is the least secure of the three 2FA methods. This is partly due to four reasons:

• Spoofing/Phishing – it is a well known fact in the security community that the security of phone networks and phone companies is notoriously easy to access. These are the networks relied upon by SMS messages used for 2FA. If an attacker compromises these networks, they can then read your 2FA codes in plaintext, especially since most of then are not encrypted.
• SIM Swapping – this is usually a bit more sophisticated than spoofing, but once an attacker goes through with it, they have the keys to the kingdom here. We are talking your entire phone number. This article by Vice shows exactly how much havoc a hacker can unleash in a small amount of time.
• Social Engineering – Hackers can also simply pretend to be you to your mobile service provider. They obtain personal information from other sources to bypass any security questions and request a secondary SIM (they’ll claim the old one was lost, stolen, etc.). Then, they intercept the shipment of the new SIM. Once you lose service on your own SIM, your number is under the control of the hacker, and they can request new SMS 2FA codes at will. It’s low-tech, but highly effective.Another very low-tech but time-tested method is getting close enough to get a look at your phone. If you’ve enabled lock screen notifications, it’s all too easy to peak at passwords sent by SMS.

Do you then even need 2FA?

Yes!

In addition to creating strong passwords and using different passwords for each of your accounts, setting up 2FA is the best move you can make to secure your online accounts — even if you insist on receiving codes via SMS. Don’t be the low-hanging fruit with an account that is the easiest target for hackers.