Twitter limiting use of text message 2FA to Twitter Blue subscribers

[JonnyD100]

Summary

Twitter recently announced that only Twitter Blue subscribers will be able to use text message 2FA. Claiming possible abuse of the system for the reason of limiting to paid users only. Found out when I opened the app this morning and was prompted to remove or change my 2FA method. The use of physical security keys or authentication apps will still be allowed. Unsure whether text message 2FA can still be used as a backup.

 

 

Quotes

Quote

 While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.

 

My thoughts

I feel like the reasoning behind the change feels a bit like BS, essentially saying oh you need to pay for the service to use a less secure 2FA process. I personally use text as I often forget about moving or disabling 2FA on my devices before resetting my phone or upgrading. It also seems that text won’t be able to be used in situations where you don’t have access to your physical key or authentication app. I feel this may leave some users less protected if they don’t want to have to go out and get a security key or start using an authentication app.

 

Sources

 https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter

[Doobeedoo]

Imagine paying..

[TOMPPIX]

Pay to get hacked.

[Mihle]

Noone, especially famous people, should be using SMS 2FA anyway. It's way less secure than app or key 2FA.

 

So I personally see it as a good thing if less people use it but switch to app instead.

[soldier_ph]

You guys still use Twitter ? I deleted my account shortly after all of this Check Mark Controversy started on 12.12.2022.

[SansVarnic]

Never used twitter... saw it for what it was when it came out. My very brief use of FB was enough to ward me from getting on it. Cesspool 1.0 and Cesspool 2.0. I suppose that decision aged very well for me.

[Kisai]

On 2/18/2023 at 12:34 AM, JonnyD100 said:

Summary

Twitter recently announced that only Twitter Blue subscribers will be able to use text message 2FA. Claiming possible abuse of the system for the reason of limiting to paid users only. Found out when I opened the app this morning and was prompted to remove or change my 2FA method. The use of physical security keys or authentication apps will still be allowed. Unsure whether text message 2FA can still be used as a backup.

 

 

Quotes

 

My thoughts

I feel like the reasoning behind the change feels a bit like BS, essentially saying oh you need to pay for the service to use a less secure 2FA process. I personally use text as I often forget about moving or disabling 2FA on my devices before resetting my phone or upgrading. It also seems that text won’t be able to be used in situations where you don’t have access to your physical key or authentication app. I feel this may leave some users less protected if they don’t want to have to go out and get a security key or start using an authentication app.

 

Sources

 https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter

I pointed this out right away that SMS 2FA is the worst 2FA

https://www.forbes.com/sites/zakdoffman/2020/10/11/apple-iphone-imessage-and-android-messages-sms-passcode-security-update/?sh=2fa7ea8a2ede

 

The reason twitter is doing this is because it costs them money. Nothing more.

https://www.wired.com/story/twitter-two-factor-sms-problems/

Quote

NOV 14, 2022

Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Meanwhile, Musk has said publicly that he is directing staff to disable some portions of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he tweeted this morning. “Less than 20 percent are actually needed for Twitter to work!”

 

Now, should we all stop using 2FA SMS? Yes. Absolutely. It's horrible garbage nobody should use, because it makes it possible to take over accounts via sim-swap attacks.

 

Security Keys might be a little too premature to use right now, but you know celebrities, corporations and government offices can't have 2FA because more than one user needs access to it. If you think celebrities' are the ones behind their online presence, that's rarely the case. That's usually someone paid to market that celeb, such as their agency or PR staff if they're big enough.

 

The people who do post wacky unhinged takes on twitter? Those are probably that person, but on their Mobile phone. But those sanitized tweets and posts on twitter and facebook? That's certainly someone who is responsible for social media, not the celeb themselves.

 

 

[Spotty]

It was pretty funny seeing Linus's reaction to reading about the news live on the WAN show thinking that Twitter was restricting 2FA to paid accounts only, then realising that other 2FA methods are still available to regular users and losing all interest in the topic.  2hr 32min is where he talks about it.

 

I'm surprised more websites aren't phasing out SMS 2FA.

[Kinda Bottlenecked]

This should add more context

 

[darknessblade]

I think the DSA and DMA Regulations will force Twitter to at least change it for EU consumers.

 

 

[Kisai]

10 minutes ago, Kinda Bottlenecked said:

This should add more context

 

Corporate speak: 

"We don't want to pay mobile carriers for SMS, and believe mobile carriers are ripping us off"

 

Which yes, yes they are.

 

But I don't think that's t-mobile and verizon. It could be, but it's more likely individual carriers in some countries.

Twitter has largely been using agreements with carriers themselves, that are years old, back when text messages were not free for customers to send.

https://blog.twitter.com/official/en_us/a/2009/full-sms-service-for-vodafone-uk-customers.html

https://blog.twitter.com/official/en_us/a/2009/sms-tweets-for-telstra-australia.html

 

So it would not surprise me if South American or eastern European carriers were doing this. Remember, there is ONE country in the North American Numbering plan, that charges highway-robbery for roaming. Like Dollars per Kilobyte, kind of robbery. If you go on a Caribbean cruise, you turn your phone off so you don't get hit with a $1000 phone bill for voice mail deposit's.

 

Anyway, yes, I called it, it's about money. But I doubt the problem is little more than a drop in a bucket. They're likely losing more money from people abandoning the platform.

 

 

 

[GoodBytes]

For those who don't know, sending an SMS is not free. I worked in telecommunications in the past.

It is also complicated to send an SMS to a phone and requires a costly infrastructure.

 

The way companies do it is that they associate themselves with a tier one telecom, who has lines between countries, and has global relations with all telecom providers.

 

They send their 2FA text message in some medium to them, which gets transformed into an SMS, and sent out to the cellphone provider (based on the phone number) which then sends it to the phone (assuming the phone owner is in his/her provider coverage region. If not, it gets more complicated to route it). SMS are cheap, but doing all that costs money. Each telecom provider that Tier 1 company is associated with has contracts/deals for these them, and as a result, fees vary.

 

Keep in mind that you still have 2FA. You can use Microsoft Authenticator or Google Authenticator app on your phone or one of the many, many, others out there.

 

[05032-Mendicant-Bias]

I don't get Elon's plan here.

 

Elon is paying one billion dollar per year in intrest on loan alone, and I doubt Twitter is ever going to make that kind of money. If Elon's wanted a megaphone, he could have sold one hundred billion worth of Tesla Shares (cashing out crashes the stock price), leaving Twitter with no debt, so he could just do his thing guilt free, with no pretence of profits coming in, ever. It's not like anyone can ever spend one hundred billion dollars anyway. Why not just buying the most expensive megaphone ever and own it?

[TetraSky]

Don't give your phone number to Twitter.

They let others find you and add you through your phone number, even if you specifically select the option not to. Perfect for stalkers who happen to know your phone number, but don't know your online handles (happened to me, deleted that account so fast afterward)

[GoodBytes]

1 minute ago, 05032-Mendicant-Bias said:

I don't get Elon's plan here.

 

Elon is paying one billion dollar per year in intrest on loan alone, and I doubt Twitter is ever going to make that kind of money. If Elon's wanted a megaphone, he could have sold one hundred billion worth of Tesla Shares (cashing out crashes the stock price), leaving Twitter with no debt, so he could just do his thing guilt free, with no pretence of profits coming in, ever. It's not like anyone can ever spend one hundred billion dollars anyway. Why not just buying the most expensive megaphone ever and own it?

Twitter was a company that was not profitable. BUT they received money left and right from investors, in the hope to make fortune once the company turned around. Sadly, for them, because the company got a lot of money from investors, no careful spending was done (not optimized company... too many employees, etc). Elon is trying to flip the company around, and probably sale it after once profitable.

 

Sadly,

• He tries to do it ASAP while it is a complex process
• He does it alone, instead of having a team of specialists analyzing the company and knowing what to do (they are companies/investors who do this. They buy companies that went under, turn them into profitability and sale them for big profits)
• Due to the increase interest rates, he is losing investors (I suspect that even if he didn't buy Twitter, mass layoff would have occurred in any case).

Not to mention that probably advertisers are losing interest in Twitter to, which doesn't help anything.

[HenrySalayne]

2 hours ago, GoodBytes said:

For those who don't know, sending an SMS is not free. I worked in telecommunications in the past.

It is also complicated to send an SMS to a phone and requires a costly infrastructure.

Sending an SMS is as free as sending out an E-mail - the infrastructure costs money, not the message itself. This is an entirely different kind of worms, but telcos were trying so hard to squeeze money out of their infrastructure, the EU had to step in and cap the fees. Telcos being gatekeepers is literally the only reason SMS are more costly than data over the internet. In an ideal world you would just pay money for being a reachable endpoint and not for each unit of text or talking time.

1 hour ago, GoodBytes said:

Twitter was a company that was not profitable

They were (at some point).

1 hour ago, GoodBytes said:

Sadly, for them, because the company got a lot of money from investors, no careful spending was done (not optimized company... too many employees, etc).

This is just a symptom and not the underlying problem: Twitter did not have and still does not have any clue how to make money. And it's quite hard to say if you have too many or too few employees, when all your employees work into a vacuum, because nobody knows how their work actually adds value to the company.

 

Elon's "1+1 is 2 and we just get rid of all employees and make the users pay for it" oversimplification mentality did not help a bit. At this point he might just be keeping the hollow corpse of a Moloch afloat with a skeleton crew. There hasn't been any innovation, there hasn't been any progress and IMHO it's extremely unlikely this will change. When Elon's character of the "Messiah of free speech" (in some circles) has lost its glamour and the rest of the world is no longer entertained by this bright burning dumpster fire, Twitter might just vanish into oblivion.

 

I honestly don't know why we are even talking about changes to SMS 2FA, since this minor thing will not turn users into paying costumers nor will it save any significant amount of money. The loss of users who don't like this change might even be counter-productive overall. And Twitter is just one of many companies who killed SMS 2FA in the past 5 years.

[Spotty]

1 hour ago, TetraSky said:

Don't give your phone number to Twitter.

They let others find you and add you through your phone number, even if you specifically select the option not to. Perfect for stalkers who happen to know your phone number, but don't know your online handles (happened to me, deleted that account so fast afterward)

Don't forget that time Twitter "accidentally" allowed 2FA phone numbers to be used for targeted advertising.

https://www.bleepingcomputer.com/news/technology/ftc-fines-twitter-150m-for-using-2fa-info-for-targeted-advertising/

Quote

In October 2019, Twitter apologized for using phone numbers and email addresses provided for account security like two-factor authentication for advertising, saying they "may have been used accidentally for ad targeting."

"We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system," said the company at the time.

 

[Uttamattamakin]

2 hours ago, GoodBytes said:

Keep in mind that you still have 2FA. You can use Microsoft Authenticator or Google Authenticator app on your phone or one of the many, many, others out there.

 

As they say in South Africa ... "At least for now".  Elon has said his grand strategy is to make Twitter into something like an English Language We Chat.

https://fortune.com/2022/10/15/elon-musk-twitter-everything-app-x-wechat-america-china/

 

He has said so himself.   In the PRC and countries adjacent to it We Chat is used for all sorts of things.  It is how you log into other accounts, it is banking, it is train and plane tickets, it is every kind of payment online and offline.   His stated goals lead eventually to having Twitter be the authenticator and him getting paid for it one way or the other.  Ultimately by getting a cut of all the commerce it enables.  There will come a time when paying Elon would not be optional.   You'll just pay him a penny when you use this .... potential future Twitter to spend a dollar. 

[GoodBytes]

31 minutes ago, HenrySalayne said:

Sending an SMS is as free as sending out an E-mail - the infrastructure costs money, not the message itself. This is an entirely different kind of worms, but telcos were trying so hard to squeeze money out of their infrastructure, the EU had to step in and cap the fees. Telcos being gatekeepers is literally the only reason SMS are more costly than data over the internet. In an ideal world you would just pay money for being a reachable endpoint and not for each unit of text or talking time.

This is the infrastructure behind mobile phones is overly complex, with a lot of costly equipment. Maintenance isn't free. Internet based communication goes the with the logic of "Worse come to worse, the sender will try again", while in SMS, it follows a QoS models, designed that an SMS (or voice call) can be fully traced back, and any failure can be identified through the whole network. The Internet has equipment sharing (routers), mobile phone world does not... at least not cheaptly.

 

You are looking at in US .01 to 1$ per SMS sent depending on the country and providers. + Service charges by the tier 1 company.

If AT&T goes: "Pff yea, whatever 0.00001$ per SMS" Great, but you have that other company in some other country goes "Oh, 2FA SMS... well, you need to send it... sooo... 1000$ per SMS! LOLz! I am the only provider! What will you do about it?". Typically, depending on the deal with the tier 1 company, it could be a flat rate per SMS where the price is all amortized. 

 

Also, keep in mind that the EU cap is on CONSUMERS, not businesses.

 

That said, what I can agree upon is that this will save Twitter 1-3million dollars per year. Does it really matter for a company like Twitter?

Probably not. It's pocket change.

 

31 minutes ago, HenrySalayne said:

Elon's "1+1 is 2 and we just get rid of all employees and make the users pay for it" oversimplification mentality did not help a bit. At this point he might just be keeping the hollow corpse of a Moloch afloat with a skeleton crew. There hasn't been any innovation, there hasn't been any progress and IMHO it's extremely unlikely this will change. When Elon's character of the "Messiah of free speech" (in some circles) has lost its glamour and the rest of the world is no longer entertained by this bright burning dumpster fire, Twitter might just vanish into oblivion.

People realizes who is Elon. He is an investor with a good stage presence with positive attention seeking. Not a genius besides having a good eye on what to invest... almost. Example: Tesla and SpaceX. Tesla for being the only company that went with the top to down model in car manufacturing (ignore price, there is a market for such expensive cars, and let's make an electric car that is good, build a reputation and go down in price over time. While all other companies, wanted to re-invent the wheel with new designs of what a car should be/look, and aim to cost less than a gasoline engine, which is just impossible, due to the low production cost, and need to get off the shelf parts not designed for electric vehicles. So, gave electric car a bad reputation)

 

31 minutes ago, HenrySalayne said:

I honestly don't know why we are even talking about changes to SMS 2FA, since this minor thing will not turn users into paying costumers nor will it save any significant amount of money. The loss of users who don't like this change might even be counter-productive overall. And Twitter is just one of many companies who killed SMS 2FA in the past 5 years.

Correct. It got killed or moved as an exclusive feature to select countries or the option is buried with using 2FA Authenticator apps being pushed.

This is because using SMS is not free. Not to teh scale of Google, Microsoft, Twitter, Facebook, and any other large scale company who probably have millions per day of 2FA being sent out at a global scale.

[Alex Atkin UK]

16 minutes ago, Uttamattamakin said:

As they say in South Africa ... "At least for now".  Elon has said his grand strategy is to make Twitter into something like an English Language We Chat.

https://fortune.com/2022/10/15/elon-musk-twitter-everything-app-x-wechat-america-china/

 

He has said so himself.   In the PRC and countries adjacent to it We Chat is used for all sorts of things.  It is how you log into other accounts, it is banking, it is train and plane tickets, it is every kind of payment online and offline.   His stated goals lead eventually to having Twitter be the authenticator and him getting paid for it one way or the other.  Ultimately by getting a cut of all the commerce it enables.  There will come a time when paying Elon would not be optional.   You'll just pay him a penny when you use this .... potential future Twitter to spend a dollar. 

Its never going to happen given people can already use Amazon, Apple, Google, Facebook, etc for authentication.  I don't have a lot of trust for any of those, but I'd trust them over Twitter any day.  You need absolute trust for people to use a service like that, and him changing his mind every five minutes is the exact opposite of how you gain trust.

[Uttamattamakin]

49 minutes ago, Alex Atkin UK said:

Its never going to happen given people can already use Amazon, Apple, Google, Facebook, etc for authentication.  I don't have a lot of trust for any of those, but I'd trust them over Twitter any day.  You need absolute trust for people to use a service like that, and him changing his mind every five minutes is the exact opposite of how you gain trust.

I know.  It's a bold vision.  Others have tried and such a monopolistic move would run afoul of at least US anti-trust law.  (God I hope that's now somehow construed as political)  The government would act to break up such a monopoly just as they did to the phone company.  (Many here are likely way too young to know the US used to have ONE phone company  AT&T, until 1982.

Consider this.  If he can position Twitter as a "Web 3" company, the best place to use crypto, the best way to move money, the best way to get paid he can win a big chunk of the market.  At least.  If he can make Twitter at least break even then lets see if he tries to buy a major credit card issuer or a bank.  To do what he wants to do for real he'd need the credibility of a bank.

[Kisai]

1 hour ago, Uttamattamakin said:

As they say in South Africa ... "At least for now".  Elon has said his grand strategy is to make Twitter into something like an English Language We Chat.

https://fortune.com/2022/10/15/elon-musk-twitter-everything-app-x-wechat-america-china/

 

He has said so himself.   In the PRC and countries adjacent to it We Chat is used for all sorts of things.  It is how you log into other accounts, it is banking, it is train and plane tickets, it is every kind of payment online and offline.   His stated goals lead eventually to having Twitter be the authenticator and him getting paid for it one way or the other.  Ultimately by getting a cut of all the commerce it enables.  There will come a time when paying Elon would not be optional.   You'll just pay him a penny when you use this .... potential future Twitter to spend a dollar. 

Good luck, never happening now.

 

Cutting off the API access was certainly a good way to make western companies go "oh f that nonsense, we'll just use google's oauth instead", twitter was in a pretty good position until that.

 

Now after alienating the users, developers, media, and pretty much anyone who mattered to the platform, people are not going to trust Twitter to do anything right while Elon's at the helm, and see any and every change as a detriment.

 

We are seeing failing to learn from the failures of myspace and tumblr. You change the platform under new ownership, and the people who matter to that platform jump ship, immediately.

 

[Uttamattamakin]

48 minutes ago, Kisai said:

 

We are seeing failing to learn from the failures of myspace and tumblr. You change the platform under new ownership, and the people who matter to that platform jump ship, immediately.

 

Yeah, I agree.  I think the real Web 3.0 will be a return to the basics of web 1.0.  On web 1.0 everything was done by various open protocols.  It was made so that taking out one service or set of services would not take down it all.   There is Mastodon and it's fediverse.  I've also seen big movers on Twitter talking about this new social media protocol that uses some block chainy tech to drive it.  #Nostr
 

He certainly knows tech and this is interesting.  It sounds very much like bittorrent or TOR or Lime Wire  or Napster.  A P2P social networking protocol on which one shouts their message into the void.  All self hosted.  This has security issues but if Snowden uses it clearly those can be overcome. https://nostr.com/  .  It even has a streamlined way to follow people on Twitter who have linked to a Nostr "account". https://nostr.com/get-started  One of these things will eventually be the one that takes over for Twitter. 

Never the less Musk has a grand strategic vision and doing this is a step in that.  He thinks people are so addicted to Twitter that they'll take any abuse he dishes out.   That we just need that hit of dopamine that his platform can deal out.   It'll be interesting if he's right. 

[HenrySalayne]

48 minutes ago, GoodBytes said:

Also, keep in mind that the EU cap is on CONSUMERS, not businesses.

Their cap goes much further to the point that the fees between telcos have been capped.

 

52 minutes ago, GoodBytes said:

He is an investor with a good stage presence

Ehh, you might want to watch some Elon live content. If you think a deer freezing in the headlights is a good stage presence, then absolutely!

55 minutes ago, GoodBytes said:

Not a genius besides having a good eye on what to invest... almost. Example: Tesla and SpaceX. Tesla for being the only company that went with the top to down model in car manufacturing (ignore price, there is a market for such expensive cars, and let's make an electric car that is good, build a reputation and go down in price over time. While all other companies, wanted to re-invent the wheel with new designs of what a car should be/look, and aim to cost less than a gasoline engine, which is just impossible, due to the low production cost, and need to get off the shelf parts not designed for electric vehicles. So, gave electric car a bad reputation)

I think you are looking too positive at this. Tesla has just recently become profitable. They couldn't keep their promises on pricing and they missed all their deadlines. Tesla is a success story but just barely. SpaceX also did some great things, but Elon is saying every month SpaceShip and SuperHeavy are ready to fly next month - for two years (March 2023 might actually be the date!). And StarLink is also way behind the expectations.

Elon basically did three things in the last decade:

- engineering things that were considered to be not viable

- overpromising

- underdelivering

But he cannot engineer a solution for Twitter. Or maybe he can, but that solution would be a new product and then why would you need Twitter? Imagine he would have bought Boeing instead of founding SpaceX. Would we have a Falcon 9 nowadays? You cannot buy a large company and run it unprofitable for 10 years while you develop and engineer your new product.

His decision to buy Twitter was completely based on his ego and not sensible in any form.

2 hours ago, GoodBytes said:

This is because using SMS is not free. Not to teh scale of Google, Microsoft, Twitter, Facebook, and any other large scale company who probably have millions per day of 2FA being sent out at a global scale.

But how much does the amount of SMS influence the cost of SMS 2FA in general? Because Twitter is not getting rid of the system, just 90% of the SMS (probably). SMS 2FA will be switched off for paying costumers within the year, mark my words.

[StDragon]

eSIM would mitigate against the SIM-swap attack, but that's not a guarantee your carrier account won't be infiltrated via social engineering where the hacker transfers the number. Some carriers are better than others at validation, but it's not a guarantee to be a safe-guard.

 

Simply put, don't tie your cell number to 2FA. Use an OTP method instead.

 

Also, be sure to secure your primary e-mail accounts with FIDO2 security keys (YubiKey for example) in the event your cellphone is lost, stolen, or becomes bricked. You'll need access to your email account as part of the OTP re-registration process to any accounts registered with it. You don't want to be caught in a catch 22 situation where you can't get access to your e-mail account if you're phone is rendered inaccessible.

As for the FIDO2 keys, be sure to have 2 at a minimum. Some providers can let you register up to 5 keys, but 3 should suffice so long as you keep it offsite somewhere else.