Twitter recently initiated a major shift that will affect how most people protect their accounts. The company told non-paying customers that they will soon have to stop using a popular security feature: two-factor authentication via text message.
Let me explain why this is not as bad as you fear.
In short, two-factor authentication requires two security steps to verify who you really are. The first step requires entering a username and password, and the second requires you to enter a temporary code sent to you or linked to a physical security key. That way, even if someone knows your password, that person will need to complete a second step to log into your account.
Twitter’s announcement of the change initially confused and shocked many. But to be clear, Twitter is pushing users to adopt stronger protections — and it creates an opportunity for all of us to bite the bullet and improve the security of our online accounts.
Twitter said in a blog post Users who do not subscribe to its Twitter Blue service will no longer be able to use SMS as a form of authentication after March 20. Non-paying users can switch to a different verification technology with a stronger form of security. Alternatives rely on using third-party apps to generate temporary codes or insert authorized security keys to access your accounts.
“Free authentication apps that use 2FA will stay free and be far more secure than SMS,” Elon Musk, owner of Twitter, tweets.
Casey Ellis, chief technology officer at security firm Bugcrowd, said Twitter’s argument about the shortcomings of SMS-based authentication makes sense. “It does make some sense, but it’s just not executed in a clean way,” Mr Ellis said.
But Twitter’s approach also has downsides, he added. Authentication using text messages is the easiest security tool most people use. Other techniques require additional steps to set up.
(Also confusing: Paid Twitter users can still rely on a code sent to them via text message to log in — an odd choice if this form of authentication is less secure. Twitter did not immediately respond to a request for comment. )
Switching to other security methods isn’t intuitive, so there’s a risk that many non-paying Twitter users might resort to skipping two-factor authentication altogether.
In the midst of all this, however, is a rare opportunity to learn about stronger two-factor authentication methods—and why we should consider using one of these whenever possible, rather than SMS-based for all our online accounts. safety. Here’s what you need to know about each method and its pros and cons.
SMS authentication
For years, Twitter and other sites have encouraged users to set up two-factor authentication via text message. This method sends a time-sensitive security code to the user’s mobile phone. It’s the most widely used form of two-factor authentication, and since nearly everyone has a mobile phone, even the least tech-savvy can understand it.
But over time, security researchers have found more and more SMS authentication problems. Someone hijacking your phone number could intercept a text message containing a security code – a scam known as SIM swapping. That’s how hackers broke into the Twitter account of the company’s former CEO, Jack Dorsey, in 2019.
There are more problems. Text messages are not encrypted, so receiving text messages on foreign networks in heavily monitored countries such as China and Russia can be a security risk. Also, receiving text messages through foreign carriers can be expensive if you’re traveling outside of the United States.
Security researchers continue to discover new flaws in SMS-based authentication, so we can expect more websites and apps to prevent users from receiving verification codes via SMS, Mr Ellis said.
Authenticator app
This brings us to the authenticator app, which you can download to your phone or computer. They generate temporary security codes (rather than sending them to your phone) that you enter to log into your online accounts and apps.
Let’s take Twitter and the application Google Authenticator as an example.
-
First, download the Google Authenticator app to your phone.Then, on Twitter.com on your computer, click more→Security and Account Access→two-factor authentication→authentication application.
-
From here, follow the steps on Twitter. You’ll be asked to scan a QR code with your phone’s camera using the Authenticator app, which will link the app to your Twitter account and begin generating security codes.
When you log into Twitter, you’ll enter your username and password, then open the Authenticator app to find a temporary code.
One big downside to using an authenticator is that it can be a pain to regain access to your account if you lose your phone or get a new one. Often, a website or app like Twitter will let you use a backup code to regain access to your account. In Twitter’s two-factor authentication setup, a menu labeled “Backup Code” will generate a code to log you back in. Make sure to write down this code and keep it in a safe place.
This technique takes some time and mental bandwidth to set up properly and get used to, but is better overall. It’s much harder for someone to hijack your device to see your security code than it is to intercept text messages.
security key
The third method—using a physical security key in the form of a USB stick that you plug into your computer or phone to log in—is the most secure of all. We’re unlikely to see widespread adoption of this technique because keys cost money and if you lose them, it’s very difficult to regain access to your account.
Let’s take Twitter and Google’s Titan Security Key as an example.
-
First, you must purchase a security key.Google sells its Titan Security Key $30; it includes a pair of keys for different types of computers and phones.
-
Then, on Twitter.com on your computer, click more→Security and Account Access→two-factor authentication→security key.
-
From here, follow Twitter’s instructions, which will walk you through inserting the key into a USB port and pressing a button to verify the key. Twitter will then display a screen with a backup code in case you lose your key. Store it in a safe place.
It’s a bit of a hassle, isn’t it? Still, it may be useful for those who work in highly sensitive fields, such as government agencies and activism.
the bottom line
To sum up, an authenticator app is a convenient and very secure two-factor method to use. I recommend that most people pick one app, such as Google Authenticator, Authy, or Microsoft Authenticator, and stick with it. They work on the same principle.
Setting up an authenticator app with all your online accounts can take some time, but you only have to do it once. It may save you time in the long run, as logging into a website is faster using this method than waiting for a text message to arrive.
