Twitter demand you pay for 2 factor authentication. Smart move or a hacker's dream

[cakeorwine]

Best way to protect an account is to use 2FA

Used to be free with Twitter

Now it's going to be charged for.

Elon Musk just wants to destroy Twitter.

Link

www.nbcnews.com/tech/tech-news/twitter-limit-use-text-messages-two-factor-authentication-paid-subscri-rcna71305

Twitter said on Friday it will allow only paid subscribers to use text messages as a two-factor authentication method to secure their accounts.
After March 20, “only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method,” the company tweeted.
Two-factor authentication (2FA), meant to make accounts more secure, requires an account holder to use a second authentication method in addition to a password. Twitter allows 2FA by text message, authentication app and a security key.

It's a toxic cesspool of misogyny. The sooner someone destroys it, the better 🤷

Isn't it only text messages that are being charged for? 2FA will still be available by other methods, e.g. authenticator apps.

Correct. Just 2FA via sms.

It's a dumb move all round.

Encouraging everyone to use 2FA is better for everyone. But of all the ways of doing 2FA, text messages are the least secure. They're still better than not doing it at all, but authenticator apps and hardware keys are even better.

So having to pay for the "worst" 2FA method but leaving all the "better" ones for free is just weird.

At least we're getting daily proof that wealth and power is not a meritocricy.

The irony is SMS 2FA is nowhere near as secure as other forms ...

cybernews.com/security/why-you-should-stop-using-sms-for-two-factor-authentication/

but then I suspect Twitter users are more comfortable with 20th century tech for some reason.

I'm still struggling to understand why a hacked Twitter account is a problem..

I think advertisers may have a problem with their accounts suddenly posting offensive content. Or what about the POTUS account declaring war on China? Or journalists having their DMs leaked, exposing their sources?

There's a million and one things that can go very pear-shaped with hacked accounts.

They’re not doing this because they want people to pay for SMS 2FA. They’re doing it because they want people to switch to more secure methods to improve security across the platform and people won’t bother to do it otherwise. Seems pretty obvious to me

Plus there is probably a cost to them of SMS 2FA. Why should they foot the bill for your convenience?

Twitter was losing millions a day when Musk bought it . I see no reason why big companies and wealthy people shouldn't pay a bit extra for more security so he can try and claw back some of the losses that the company makes ?

The thing is though that if say you're using the Google authenticator app and you break your phone you're a bit stuck if it doesn't allow you to use sms as a backup. I know authy would be fine but not everyone uses that. I only use twitter for customer service now but still.

I think I added them to my usb key now I think about it 🤔

But they’re not demanding you pay for 2FA… they’re asking for payment for text 2FA only. Did you not read the links you posted?

I had not added my accounts to my physical keys but I have now, thanks OP.

Because nothing in particular that he's done so far has been useful for the longterm financial security of the organisation.

You can't just slash the budgets and staffing immediately, and start slapping random functions on a charge.

But Elon fanboys aren't big on business strategy.

Are you sure? 2FA methods usually give you a bunch of recovery codes you can fall back to if your 2FA device is broken/stolen/compromised.

If you are a celebrity or a company and someone hacks your account, there can be consequences

www.theguardian.com/media/2022/dec/27/piers-morgan-twitter-account-hacked-say-reports

They do, but I've learned from posts here that no one seems to write them down/print them out. Some people swear they were never given the option, even though there's usually a message telling you to when you set 2fa up. So no, I don't think relying on that over sms is a great plan. Not just twitter, any 2fa. They need to make it seem less optional.

What does this mean please?

I didn't know about 2FA recoveries.

Twitter being hacked is a problem for business for sure.

I can't speak for all authenticators, but certainly Google doesn't provide the ability to directly generate 2FA codes for backup. The reasoning being you don't need a signal, so as long as you have your phone ...

If you want backup codes, either look at the service you are protecting by 2FA (Facebook, Google, MS all allow you to generate backup codes for offline storage) or make sure you keep a copy of the QR code (or the alphanumeric secret it represents) when you pair your device to the service. Then you can repair another device quite easily.

Generally any form of 2FA is better than none. However it all still relies on the organisation that is using it to use it properly. I know of once instance where a totally incompetent outfit managed to ignore the "This wasn't me" alert a subscriber had when they were hacked, with "hilarious" results. So your trust in 2FA should only go as far as your trust in MegaBigCorp to do the right thing. And as they say in other forums: YMMV

So if you lose your phone, what happens to 2FA with your new one?

@SerendipityJane google gives you a set of codes - I think it's 10 - when you turn on 2fa. You can also use sms, physical keys, devices you're logged into etc for 2FA. You can also export authenticator if you have access to your phone. I'm not remotely worried about losing access to my google accounts.

I still think expecting the average user (which I know I'm not) to keep backups of QR codes is a bit much, especially when the recovery codes aren't being kept as it is! They need a fallback for authenticator apps.

You can use a physical key, which usually looks a bit like a memory stick, instead of using an app to generate a code. After you put in your username and password it prompts you to use it, either by plugging it in or using nfc. It's supposed to be the most secure method.

It depends on how you set it up. If you were using Google authenticator and had no other backup methods you'd be in trouble. Most services let you also use sms though so you'd be able to get a code sent to you. With twitter removing that you'd need to make sure you have an alternative. You should make sure to keep recovery codes if you set up 2fa on any account just in case.

If you didn't keep the secret as I suggested you need to recover the account and re-pair your new one.

Your Google account provides backup codes. Your Google authenticator doesn't.

For what I hope would be obvious reasons.