Security beyond the SMS method
Twitter recently set in motion a major shift that will affect how most people protect their accounts. The company told non-paying users that they would soon have to stop using the two-factor authentication through text messages.
The announcement was initially confusing and alarming. But to be clear, Twitter is pushing users to adopt stronger safeguards — an opportunity for us all to bite the bullet and improve the security of our online accounts.
Twitter said those who were not subscribers to its Twitter Blue service would no longer be able to use this form of authentication after March 20. The alternatives rely on either using a third-party app to generate a temporary code or plugging in an authorised security key.
“Use of free authentication apps for 2FA will remain free and are much more secure than SMS,” Elon Musk tweeted.
Twitter had a valid point about the flaws in SMS-based authentication, according to Casey Ellis, the chief technology officer of the security firm Bugcrowd. “This actually does make some sense, but it just wasn’t executed in a clean way,” Ellis said.
But there are downsides to Twitter’s approach, he added. Authentication using SMS has been the simplest security tool for the vast majority. The other techniques require extra steps to set up. So there’s a risk that many may resort to skipping two-factor authentication altogether.
This has been the most widely used form of two-factor authentication. But over time, security researchers have found SMS authentication to be increasingly problematic. A text message containing a security code could be intercepted by someone who has hijacked your phone number — a scam known as SIM swapping. This is how hackers broke into the Twitter account of the company’s former CEO, Jack Dorsey, in 2019.
There are more issues. A text message is not encrypted, so it can be a security risk to receive texts on foreign networks in countries with heavy surveillance such as China and Russia.
They generate temporary security codes that you enter to log in to your online accounts and apps. Download the Google Authenticator app onto your phone. Then, on Twitter.com from a PC, click More—Security and Account Access — Two-Factor Authentication — Authentication App. Follow the steps on Twitter. You’ll be asked to use the Authenticator app to scan a QR code with your phone camera, which will link the app with your Twitter account and start generating security codes.
When you log in to Twitter, you’ll enter your username and password and then open the Authenticator app to find the code.
However, if you lose your phone or switch to a new one, it can be a pain to regain access to your accounts. Typically, a site or app like Twitter will let you regain access to your account with a backup code. In Twitter’s two-factor authentication settings, one menu labelled “backup codes” will generate a code to let you log back in. Make sure to jot this code down and store it in a safe place.
This technique takes some time and mental bandwidth to set up properly and get used to, but it’s better overall. It’s much tougher for someone to hijack your device to see your security codes than it is to intercept a text message.
The third method — a physical security key in the form of a USB stick you insert into your computer or phone — is the most secure. We’re not likely to see this technique widely adopted because the key costs money, and if you lose your key, it can be difficult to regain access to your account.
Consider Twitter and Google’s Titan security key. Google sells its Titan security key for $30; it includes a pair of keys for different types of computers and phones. Then, on Twitter.com from a computer, click More — Security and Account Access — Two-Factor Authentication — Security Key. Follow Twitter’s instructions for plugging the key into a USB port and pressing a button to verify the key. Twitter will then show a screen with a backup code in case you lose your key.