In just two weeks, the ban on SMS two-factor authentication for non-subscribers on Twitter will go into effect, a move blasted by the majority of the security community.
While Twitter CEO Elon Musk has defended the move as a way to protect user security, most leaders aren’t buying it.
“Just from a purely pragmatic standpoint, this is basically stripping away the lowest threshold of 2FA out there without any sort of viable or easy replacement,” Andrew Shikiar, executive director of the FIDO Alliance, told SC Media.
SMS OTP has the benefit of being easy to use and without the need for users to set up an authenticator, all while bolstering password-only accounts. But the tool has a host of drawbacks, including an increased attack surface, the ability to be spoofed, and its codes are sent in plain text, just to name a few.
Twitter’s decision to ban the authenticator without payment led to outright mockery on its own platform, with many calling it a potential holiday for hackers.
Not only will it make users less secure, Shikiar said it’s unnecessary. Just because there may “be a business model behind it,” hidden behind the guise of innovation, does not make it the most cost-effective model. Standardizing remote ID identity verification, at a minimum, would be a better example of a shift that would actually lower costs, Shikiar said.
The laundry list of possible negative impacts of the controversial move is substantial, but there are a handful of positives: namely, that the company is working to move users away from SMS one-time password authentication.
However, no one is defending the inherent vulnerabilities of OTP, as it’s a risky authenticator that doesn’t really prevent account takeovers, Shikiar explained.
Had Twitter announced a secondary solution, or provided users with education around viable alternatives, the shift would have been less controversial and supported Musk’s assertion that it was meant to protect user security — all while shutting down claims it was a cost-cutting effort in the face of mounting financial woes facing the company.
“But for the mainstream consumer audience, SMS OTP is better than a password alone, and it will thwart the vast majority…