THE LATEST BIZARRE move of Elon Musk’s Twitter ownership weakens the security of millions of accounts
On February 17, Twitter announced plans to stop people using SMS-based two-factor authentication to secure their accounts—unless they start paying for a Twitter Blue subscription. However, there are more secure, free, and easier ways to continue protecting your Twitter account with two-factor authentication.
Two-factor authentication, also known as 2FA or multi-factor authentication, is one of the most effective ways to protect your online accounts from being hacked. When logging in to a website, app, or service, 2FA requires you to sign in using your username and password, then verify that the login is authentic using another piece of information. Most commonly, this involves entering a temporary code that’s generated or sent to you in real time.
This second piece of information helps to prove that the person logging in is actually you. While billions of passwords have been compromised online, the 2FA code is often delivered to or created by the device that’s in your pocket. Having any kind of two-factor authentication turned on is better than none. However, it isn’t entirely foolproof. For years, security researchers have warned that SMS-based two-factor authentication isn’t as secure as other 2FA options.
That’s because SIM-swapping attacks, where phone numbers are compromised by attackers, let criminals access 2FA messages and break into accounts. Put simply: Using another 2FA option, even if it is slightly less convenient, is your best option.
In its announcement, Twitter said people have 30 days to turn off SMS-based 2FA and move to another option. It said the system had been abused by “bad actors” in the past. On March 20, Twitter will “disable” using text messages for two-factor authentication—unless you pay for the privilege. People have already started seeing pop-ups telling them to “remove text message two-factor authentication” before this date.
However, Twitter’s announcement has baffled, confused, and angered security researchers. They say removing SMS-based 2FA just for people who don’t pay for Twitter Blue doesn’t make any sense and will weaken people’s security if they do not move to another 2FA option. Here’s what you should do to keep your account secure.
Use an Authenticator App or Security Key
Instead of turning 2FA off on your Twitter account, there are two better options: authenticator apps and security keys. They both work using the same principles as SMS-based 2FA. To enable either of these alternatives you will need to visit Twitter, open its Settings and privacy, then Security and account access, Security, and finally Two-factor authentication. (Or just click here if you are logged in). Here you will get the option to use two-factor authentication via an app or using security keys.
Instead of sending your six-digit authentication code via SMS message, authenticator apps are constantly generating the codes themselves and are synced with the services you use. Authenticator apps list all the websites you have registered with them and display the codes you need to enter to log in. These codes refresh every 30 seconds. Each time you need to log in to a website or app, you visit the authenticator app after entering your username and password to get the authentication code instead of waiting for a text message. (It’s particularly helpful if your phone doesn’t have connectivity for some reason.)
There are multiple, free two-factor authentication apps to pick from, although they all offer the same essential service and can be used across platforms. The big players have their own apps:There’s Google’s Authenticator App and Microsoft Authenticator. Alternatively, various password managers that you may already use, such as 1Password, have their own authenticator services. There’s also Twilio’s Authy App. And if you have an iPhone, you can use Apple’s built-in generator.
Each has pros and cons that you should consider before picking one. For instance, you may be heavily locked into Microsoft’s or Google’s ecosystems and want to use their apps. Google’s is relatively basic but doesn’t sync elsewhere; Microsoft’s app offers password management services. However, the Microsoft and Authy apps appear to collect more user analytics data than Google’s. Whatever app you pick, it’s possible to switch to another authenticator.
Setting up an authentication app on Twitter, and anywhere else, is simple. For Twitter, you need to visit its 2FA page. Then open your authentication app, select the option to add a new account, then scan the QR Twitter shows you. Enter the six-digit code on your app and you’re done.
Alternatively, instead of an authenticator app, you can use a security key. The keys are physical pieces of hardware that you either plug into your computer when logging in or connect to your phone. They’re the most secure method of 2FA as an attacker physically needs the key to log in to your account—whereas an attacker always has the possibility of trying to trick you into handing over a generated six-digit authentication code.
Once you’ve set up an authenticator app or hardware key for Twitter, you’ll also want to make a note of Twitter’s backup code for your account. The backup code can be used to log in to Twitter if you can’t access your 2FA options, such as losing your phone or security key. (The first time you set up 2FA on Twitter it will provide you with a backup code, although this can be regenerated online.) You should save this in a safe place, such as your password manager.