Twitter recently rolled out a major change that will affect how most people protect their accounts. The company told non-paying users that they would soon have to stop using a popular security feature: two-factor authentication via text messages.
Let me explain why this isn’t as bad as you might fear.
Plainly speaking, two-factor authentication requires two security steps to verify that you are who you say you are. The first step asks for a username and password, and the second requires you to enter a temporary code that is sent to you or connect to a physical security key. This way, even if someone else has her password, that person will still need to complete the second step to log into her account.
Twitter’s announcement of this change was initially confusing and alarming to many. But just to be clear, Twitter is putting pressure on users to adopt stronger security measures, and has created an opportunity for all of us to bite the bullet and improve the security of our online accounts.
Twitter said in a blog post that users who were not subscribed to its Twitter Blue service would no longer be able to use text messages as a form of authentication after March 20. Non-paying users can switch to different verification techniques with stronger forms of security. The alternatives are based on using a third-party application to generate a temporary code or connecting an authorized security key to access your account.
“Using free authenticator apps for 2FA will remain free and much more secure than SMS”, Elon Musk, owner of Twitter, tweeted.
Twitter had a valid point about the flaws in SMS-based authentication, according to Casey Ellis, chief technology officer at security firm Bugcrowd. “This actually makes sense, but it just didn’t run clean,” Ellis said.
But there are downsides to Twitter’s approach, he added. Text message authentication has been the simplest security tool for the vast majority of people. The other techniques require additional steps to set up.
(Also confusing: paid Twitter users will still be able to trust codes sent to them via text to log in, an odd choice if that form of authentication is less secure. Twitter did not immediately respond to a request for comments).
Switching to the other security methods isn’t intuitive, so there’s a risk that many non-paying Twitter users will resort to bypassing two-factor authentication entirely.
However, in the midst of all this, there is a valuable opportunity to learn about the strongest two-factor authentication methods and why we should consider using one of them, whenever possible, instead of SMS-based security for all of our online accounts. Here’s what you need to know about each method and its pros and cons.
SMS authentication
For many years, Twitter and other sites have encouraged users to set up two-factor authentication via text messages. That method sends a time-sensitive security code to a user’s phone. This has been the most widely used form of two-factor authentication because virtually everyone has a cell phone, so even the least tech-savvy person could figure it out.
But over time, security researchers have found that SMS authentication is becoming more problematic. A text message containing a security code could be intercepted by someone who has hijacked your phone number, a scam known as SIM swapping. This is how hackers broke into the Twitter account of the company’s former CEO, Jack Dorsey, in 2019.
There are more problems. A text message is not encrypted, so it can be a security risk to receive text messages on foreign networks in countries with heavy surveillance, such as China and Russia. Also, if you are traveling outside of the United States, receiving text messages on a foreign carrier can be expensive.
Security researchers continue to discover new flaws in SMS-based authentication, so we can expect more sites and apps to prevent users from receiving codes via text messages, Ellis said.
authentication apps
This brings us to authenticator apps, which you download to a phone or computer. They generate temporary security codes (instead of texting them to your phone) that you enter to sign in to your online accounts and apps.
Let’s use Twitter and the Google Authenticator app as an example.
-
First, download the Google Authenticator app on your phone. Then on Twitter.com from a computer, click Further→Security and account access→Two Factor Authentication→authenticator app.
-
From here, follow the steps on Twitter. You’ll be prompted to use the Authenticator app to scan a QR code with your phone’s camera, which will link the app to your Twitter account and begin generating security codes.
When you sign in to Twitter, you’ll enter your username and password, and then open the Authenticator app to find the temporary code.
The big downside to using authenticators is that if you lose your phone or switch to a new one, it can be a pain to regain access to your accounts. Typically, a site or app like Twitter will allow you to regain access to your account with a backup code. In Twitter’s two-factor authentication settings, a menu called “backup codes” will generate a code that will allow you to sign in again. Be sure to write this code down and keep it in a safe place.
This technique takes some time and mental bandwidth to set up correctly and get used to, but it’s better overall. It’s much harder for someone to hijack your device to see your security codes than it is to intercept a text message.
security keys
The third method, using a physical security key in the form of a USB stick that you insert into your computer or phone to log in, is the most secure of all. We are not likely to see this technique widely adopted because the key costs money, and if you lose it, it can be difficult to regain access to your account.
Let’s use Twitter and Google’s Titan security key as an example.
-
First, you have to buy a security key. Google sells its Titan security key for $30; includes a pair of keys for different types of computers and phones.
-
Then on Twitter.com from a computer, click Further→Security and account access→Two Factor Authentication→Security key.
-
From here, follow the instructions on Twitter, which will guide you through connecting the key to a USB port and pressing a button to verify the key. Twitter will display a screen with a backup code in case you lose your password. Store it in a safe place.
Kind of a nuisance, isn’t it? Still, it can be useful for people who work in very sensitive fields, like government agencies and activism.
Bottom line
In conclusion, the authenticator app is the two-factor method that is relatively convenient and very safe to use. I recommend that most people choose an app, like Google Authenticator, Authy, or Microsoft Authenticator, and stick with it. They all work the same.
It can take some time to set up an authenticator app with all of your online accounts, but you only need to do it once. And in the long run, it could save you time because logging into sites using this method can be faster than waiting for text messages to arrive.
