Is the loss of SMS-based 2FA on Twitter really that bad?

The security keyboard warriors were out in force over the weekend – and I’ll be honest, I was very nearly one of them (technically, for about 5mins until I deleted my initial hot take, I was!). You see, Twitter had announced it was ending support for SMS-based 2-factor authentication (2FA or increasingly MFA - Multi-Factor Authentication), unless you paid to become a Twitter Blue subscriber.

In-app notification announcing the demise of SMS-based 2fa for non-Twitter Blue subscribers

On the face of it, this seemed to be following in a similar vein to number of recent changes seemingly designed to push people towards paying for the premium offering from the social media site - which included the recent change to the Twitter API, causing turmoil for popular 3^rd party Twitter clients, as well as for security researchers such as myself, losing access to a pretty decent intelligence source on bots and mis/dis-information campaigns. The latter of which I was mid-investigation alongside a colleague, before some of what we were looking at ended up being reported by another team here: https://thedisinfolab.org/the-fake-wall-of-china-deception-through-hired-social-media-mercenaries-part-1/

For me, the use of MFA is increasingly a critical must-have for an online service, and wherever it’s provided, I’ll enable it. Credential based attacks are amongst some of the most pervasive techniques out there, whether that be stealing them through phishing campaigns or re-playing them through credential stuffing attacks - my go-to commentary at the moment is that:

Hackers are no longer hacking - they’re simply logging on.

The rise in social media, combined with productivity tooling now increasingly available as cloud-by-default or SaaS offering only, has pushed more of our sensitive data online. And whilst in a post-COVID/Work-from-Home era, it enables users to access it anywhere in the world, so can attackers.

I remember some of the earlier migrations from on-prem to cloud, and organisations repeatedly neglected to change their security profile when doing so. Accounts that could only be accessed after a member of staff had been through a physical security check-point, swiped and pinned with an ID smart-card badge to get into the building, walked through an office of colleagues, before sitting at their desk to login. Accounts that could now be accessed over the internet, without any of those physical security checks, but still only protected by a basic password.

Humans are notoriously bad at picking passwords, and even if only 1% of accounts get compromised in a credential stuffing attack, for a 10k user organisation that’s still 100 accounts at risk of abuse and data theft - just as the UK’s Houses of Parliament found out in 2017.

Adding in a separate means of authentication, especially one that is dynamic and non-guessable, is a great way of breaking the often automated processes used by attackers to get in. And as discussed in the post below, it’s now a regulated requirement for online purchases:

When fraud becomes personal - a cautionary tale

But, as the attacks of Lapsus$ over the last year (including the breach of Uber via MFA fatigue), and even going back to 2011 with the attack on RSA - demonstrate that MFA is no silver bullet, but it does force the attackers to work harder, placing additional cost on them, and maybe even forces them to do something noisy that is easier to catch.

As with many things, not all MFA solutions are created equally, with pitfalls around usability and cost - and when it comes to security, SMS-based MFA is definitely at the bottom. None of the “S”s in SMS stand for “secure” after all.

So surely removing the weakest form of MFA is actually improving security?

I’d actually argue that when the option to not have MFA at all is still available and the default, I’d rather *any* form of MFA than none at all - especially one that is instantly accessible to anyone with a mobile phone.

But as many have argued, other more secure options of MFA are still available on Twitter - nor is there any evidence that the removal of SMS is an indication that those other methods will meet a similar demise.

Other, more secure options continue to be available for Twitter

The truth however is that SMS-based MFA is popular (even by Twitter’s own stats, with nearly 75% of MFA users, prefering SMS) largely because it’s easy - and as any battle-hardened security pro will attest to, if you make security difficult, users will ignore or bypass it.

For some, SMS-based MFA may be the only available option – either because of an MDM-locked-down corporate device, or simply no smart phone at all! And even in the MDM scenario, rolling out a new app is not always plain sailing, let alone the training cost for all of those new users.

Like many users, I use online services via my mobile a lot and registering via a mobile app isn’t always straightforward – how do you scan a QR code in the app using the phones camera, when the service you’re trying to register MFA with is on the same device? Yes, I know you enter in a text, but it’s cumbersome and occasionally hidden in the corner of the UI, behind text that implies you’ve somehow failed (“QR Code not working?”), rather than recognising you’re just one of the majority of users that use their mobiles over a larger laptop/desktop.

Then one of my other niggles with mobile app Authenticators, only to find that when I tried to log-in after a major update, that the App I was using had “forgotten” all of my accounts:

Apple iOS has the option to “Offload Unused Apps”, reclaiming storage space from underused applications, without have to have a fresh install the next time you come to use it… although, not always…

Not to mention one specific app I was using for a period (and the only one approved by my IT team at the time), was an Time-based OTP didn’t work during Daylight saving hours, because it couldn’t work out how to factor in the 1-hour difference - but in fairness, daylight savings and timezones are pretty complicated.

For me, the key message is well explained in this Twitter thread by Rachel Tobac:

Rachel Tobac @RachelTobac

This Twitter 2FA change is nerve-racking because: 1. Only ~2.6% of Twitter users have 2FA on at all (it’s essential for preventing easy account takeover) Of those 2.6%, 74% use text message based 2FA (https://t.co/WXuFydZk17) If they don’t pay for Blue they auto lose 2FA on 3/20.

Twitter Support @TwitterSupport

Effective March 20, 2023, only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method. Other accounts can use an authentication app or security key for 2FA. Learn more here: https://t.co/wnT9Vuwh5n

1:48 AM ∙ Feb 18, 2023

---

With this, the most critical tweet in the thread:

Rachel Tobac @RachelTobac

“But, isn’t this good bc it forced users out of SMS 2FA & into a stronger MFA method?” Unlikely — bc of confusion, lack of digital literacy, & friction this will likely 📉total MFA usage. Folks are unenrolled on 3/20 and many will not take the time to enroll in another MFA form.

2:47 AM ∙ Feb 18, 2023

---

The message is simply this:

• We forget that not everyone is a security pro

• We may personally feel comfortable upgrading from SMS to App-based (and may have done so already years ago)

• Not every user of Twitter will have the technical and security literacy to be able to make the change themselves

• The loss of an instantly accessible form of 2FA will likely see users switch off 2FA altogether rather than make the migration to an app they have no familiarity or understanding of.

My recommendation for the team at Twitter - set a KPI that sees the uptake of 2FA go up. This will mean supporting users to make the change, making it more accessible, and maybe even turned on by default. Maybe there’s an argument to include a TOTP Authenticator within the mobile Twitter Client… but maybe not.