By Joseph Carson, Chief Security Scientist, Delinea.
The latest news related to Twitter’s decision to disable, or in simple terms turn off, text-based 2FA (also known as SMS-based two-factor authentication) for non-paying customers could see an increase in cyberattacks targeting Twitter users who fail to take any action prior to the fast approaching deadline on March 20th.
The move appears to reveal more of a monetary motivation from Twitter rather than a security focus, as SMS-based 2FA can cost a significant amount of money, especially when attackers are trying to take over accounts. Instead of taking the approach that the previously free SMS-based 2FA service is no longer secure enough to protect users, it will continue to be available for paying customers.
Though SMS-based 2FA is better than just having a username and password it is known to be easily compromised. If this was indeed a security-focused approach Twitter would have made a much better migration path to Multi-Factor Authentication (MFA) or authentication-based applications to ensure a higher level of protection.
Just reverting to username and password is a step backwards for those who took the extra steps to protect their accounts, and they may now be exposed again to attackers who leverage weak passwords or reused passwords across multiple accounts.
What this means for Twitters users is that those paying a subscription will have additional security options to choose from, which means users are now paying for security. It could also see many other organisations take the same approach when looking at the balance between cost and security, and it will be walking a very fine line.
This could see the end of SMS-based 2FA in the coming years, but we should not be stepping backwards to the old username and password approach. Rather, we should be moving forward to an authentication experience which includes zero friction and better protection, such as moving passwords into the background and making MFA the path forward.
