Cyber security image

It was recently announced that Twitter was going to begin hiding two-factor authentication (2FA) behind a paywall, or at least that's what a lot of people saw. In reality, Twitter is only allowing subscribers to their new (ish) "Twitter Blue" subscription tier to use SMS-based 2FA. Everyone else will need to use either TOTP or a hardware security key (both of which can be used without a subscription). Come the 20th March, users who don't have Twitter Blue will have SMS-based 2FA removed from their account, regardless of whether they have any other methods enabled, which is definitely going to result in a lot of accounts being suddenly made much less secure. And that's before we consider the huge number of stale accounts now ripe for a takeover.

Why is Twitter doing this? From a recent transparency report, only 2.6% of Twitter users have any kind of two-factor authentication enabled - a statistic which is terrifying to me. Of those, 74.4% use SMS, 28.9% use TOTP, and a measly 0.5% use a security key. According to Mr Musk, Twitter is spending around $60 million on their SMS infrastructure (no wonder Twilio have so much money).

After the announcement, the internet was divided. Many people are annoyed by this, and that it's a step back in security and convenience. Others believe it's great, and doesn't go far enough. This got me thinking, there's a common misconception, even among techy people, as to what 2FA is, like really, and why it's so important for online security.

#What 'most people' think 2FA is

For most people, when they see "2FA", most people will think of "an extra code" that's used alongside (well, usually after) a username and password to additionally confirm you are who you say you are. That way, if there's a security breach or someone guesses your password, your account is still secure because the attacker won't have the code. The code being something sent to you through email or more commonly SMS, or something generated by an app on your phone. Sometimes the phone app is a generic one like Google Authenticator or Authy, or other times its specific to the service, like or some banking apps.

What I find interesting, and what makes me mostly happy, is that none of that is strictly wrong. It's just not the whole story...

#What 2FA actually is

Two-factor authentication is more common phrase given to multi-factor authentication (MFA) (yes, you can have more than 2, but more on that later). The idea is very much to confirm who you are, but not just by using 2 different secret credentials, the difference is intentional and specific.

Validating a user's identity remotely is a hard problem, as there's no easy way for a computer to determine you are who you say you are. If I have your password, does that mean I'm you? What about if I have your phone, or a photo of you taped to my webcam? What if I know your post code, is that enough? Hopefully it takes a little more than knowing your post code (if your password is your postcode, please go and change it now), but the ways of validating a person is who they say they are generally fit into 3 categories (or "factors", if you will):

  • Something you know (a password, that secret handshake you made up in primary school)
  • Something you have (Your phone, your house keys)
  • Something you are (Your fingerprint, that trademark sarcastic tone of voice you have)

When it comes to proving identity, any validation falls into one of those 3 categories. This is why we have 2-factor authentication, because it generally uses 2 of these factors: You know your password, and you have your phone. Two separate factors reduces the chances of someone being able to break into your account. If someone steals your phone, well they still don't have your password. If someone is able to guess your password, they don't have your phone. Sure, someone could get both, but that raises the barrier to entry enough that it's unlikely enough for most people. Perfect security is incredibly difficult, but it's not too difficult to get close.

It's the same reason that those "secret phrases" used by banks aren't really a second factor. It's just a second password which you rarely share the entirety of, and that you only need to disclose a few characters of to prove you know it, rather than the whole thing. Wait, that doesn't actually sound very secure, does it? Moving on...

MFA is slowly becoming more mainstream, but it's not quite there yet. No matter how many times you tell people not to, they'll still choose weak passwords, and reuse them across multiple sites. From a data breach in 1 site, an attacker can just try those same username and password combinations on other sites and gain access to a fair few accounts. This is called credential stuffing. If the accounts had 2FA enabled, then that's no longer viable. Sure there are plenty of ways to get around two-factor authentication, but they are generally targeted attacks which require thought and planning.

#Factor 4 - A New Hope?

There is a 4th factor, which you occasionally see floating around: Some people you know. This being the idea that rather proving to the computer you are who you say you are, the computer attempts to verify your identity by asking someone you know whether you are really you. In reality this more "authentication by proxy", or just delegating the problem to someone else, but it's an interesting thought nonetheless, which of course still has its own issues.

For example, Facebook for a while required something similar to download an export of your profile. Even once you were fully logged in, Facebook would show you a few photos of the same person, and ask you to identify them. It's not quite the same as the 4th factor, it's really more something you know, and it's definitely a long way from perfect but it's an interesting and clever solution to a problem.

#What's TOTP?

"TOTP" is an acronym I've thrown around a lot, so I thought I might as well explain it. TOTP stands for "Time-based One Time Password", and is the technical name for the codes generated by the apps on your phone. TOTP uses a secret (either typed in or encoded in a QR code) along with the current time (in UTC, because timezones) to generate a code which is only valid for short period.

The code itself isn't important, it's merely an implementation detail. By having the secret only on your mobile device, it proves you have that mobile device (a "thing you have" in MFA terms), proving you are who you say you are. Or at least proof enough. There are a few alternatives to TOTP and SMS-based 2FA to prove you have your mobile device, such as Duo, which uses push notifications to confirm your identity (much like many banks use when validating payments online as part of 3D-Secure).

#"Doesn't that mean storing my TOTP codes in a password manager is bad?"

Well yes, but actually no, but also yes. In short, it's complicated...

Theoretically, in the literal MFA sense, a TOTP code in your password manager synced to another device stops becoming a "thing you have", instead becoming a "thing you know", in that it's a protected and secret piece of information, much like your password. Further still, it means should your password manager be compromised, an attacker would have both your password and TOTP codes, and so could trivially access your account.

Does this matter for most people, probably not. The reason password managers do this is because by reducing complexity and increasing convenience, it encourages people to secure their account, and makes it just as easy as having their password manager remember their password.

Assuming you're using a reasonable password manager (not you, LastPass), it shouldn't make too much difference security wise. Having your TOTP codes generated by a password manager is much better than having no 2FA at all. Most of the security and some of the convenience is better than some of the security and most of the convenience.

#The problems with SMS-based 2FA

Most people are familiar with 2FA in the form of SMS-based 2FA. The SMS-based approach shares a lot with its sibling, TOTP-based, however rather than having a time-based code generated by an app on your phone, a code is sent to you via SMS, which you then enter into the application. This might sound perfectly fine, but it's less secure than TOTP for 2 main reasons:

Firstly, these codes aren't as timely, because they take a varying amount of time to generate, send, and be received by the user. Typically, an SMS takes around 5 second to receive, but that assumes a lot on the infrastructure being used to send and transmit the message. In reality, it could easily take up to a minute or two to come through, by which time you've probably got impatient and moved on to something else. Once the code has been generated by the application, it needs to be sent and received by the user, have them find their phone (or at least take it out their pocket), open the SMS app, read the message and type in the code. Each step adds variance, and the last thing you want is for a user to take fractionally too long and start again. Whereas, with TOTP, the codes keep updating until the user is looking at the code. If the TOTP code is about to expire, the user can clearly see this, wait a few seconds for the next code to come through, and have the full 30 seconds to type the code in.

Secondly, there's the SMS infrastructure itself. SMS-based 2FA assumes that everything in between their servers and your phone are perfectly secure. In reality, that's far from true. If you know what you're doing, and know whose phone you want to hijack, it can be relatively simple to hijack someone's phone, issuing a new sim card with their phone number on it. At this point, as far as any application is concerned, you are them now, assuming you have some way of getting past the password prompt. Even that may not be necessary if a site supports password reset over SMS. Sure, sim swapping is a targetted attack - it's not something you can easily scale to compromise thousands of accounts, but it's still possible.

#Doing 2FA properly

I've talked a lot about how not to do 2FA, and yet also how important 2FA is - so how is it done properly? Sadly, I think it comes down to some work on your part, and ensuring each "factor" an application provides aligns with what the "factors" should be. As it's most common, I think this is most interesting to discuss through TOTP.

TOTP is merely an implementation detail, allowing an application to prove you have access to a device. Keeping said codes on your phone, and ideally only on your phone, keeps that fact true. This can make life much more inconvenient, especially if you lose your phone. There are apps like Authy which support syncing your TOTP codes, but introduces a lovely catch-22 issue of where to store the TOTP codes for that app.

#Hardware security keys

A better way to achieve the "something you have" factor is using a hardware security key, like a Yubikey. Instead of using a code generated by your phone, it's a small device which connects either over NFC or USB, and it deals with security identifying you as you. When prompted, you plug it in, press the button on it, and you're done. Hardware security keys have some additional protections too, as it's not possible for an attacker to intercept the message and use it on another site, as is possible with TOTP and a totally legit looking phishing site. Hardware security keys are really cool, but sadly can't be used everywhere, as they require specific support in the application, much like TOTP (but separate), however support is growing.

#Is Twitter removing SMS 2FA a bad thing?

Now, back to the event which made me write this post in the first place: Twitter moving SMS-based 2FA behind thier "Twitter Blue" subscription. I was asked by a friend what I thought of this, and I do think this is definitely a bad thing, but not for the reasons you might expect:

Paying for something implies it's valuable. Twitter charging for SMS-based 2FA, but giving away TOTP-based for free implies SMS-based is more valuable, and thus more secure. In reality, it's very much the opposite. This may very well lead unsuspecting users into a false sense of security around the security of their account. "Give me money for something that sucks" isn't exactly the best marketing, but in this case, it's pretty much what's happening.

If Twitter had removed SMS-based 2FA entirely, it would likely have forced people to at least look at TOTP and consider enabling it instead. Sadly, I suspect the reason why Twitter didn't do this is because most people probably wouldn't be bothered to spend the effort, and just disable 2FA instead. The alternative reason is that Musk just wants Twitter's users to start covering their Twilio bill more directly, sadly at the cost of weaker security, but for once I'll try and be a little optimistic.

Another interesting question is "Is bad 2FA better than no 2FA?", and the answer to that is a resounding Yes! Password managers may be pretty common, but people still reuse passwords all the time. 2FA of any kind is at least a second layer of protection for people's accounts should an attacker try the leaked credentials of 1 site in another. Even a second layer of the same factor, like the memorable phrases used by many banks, is at least some improvement.

There is a false sense of security (pun not intended) around weak 2FA regarding "It's fine to have a weak password, because they'd need my phone to get in". That is definitely wrong and damaging. But if you already have a strong password, SMS-based 2FA still adds another layer between an attacker and your account, even if that second layer is theoretically weaker than the first.

So sure, Twitter made a strange decision by disabling SMS-based 2FA for users, but I suspect it's the best decision they could make. Sure, if you follow its principles strictly, 2FA is difficult and less convenient than how you're probably doing it now, but it does carry benefits. If you're reading this, have a brand to protect on Twitter, and are using SMS-based 2FA, you should probably go fix that.

Share this page

Similar content

View all →


LAN-only applications with TLS

4 minutes

The internet is a wild place, filled with well, everything. There are many ways of exposing an application to the internet, but no matter how secure an application claims to be, or how confident you are with your infrastructure, sometimes you may just be more comfortable keeping it internal. Historically,…


Creating a fast, secure WordPress site

4 minutes

In terms of security, WordPress, and PHP in general for that matter, have become a bit of a joke. If you want a site to be secure, people tend to steer clear of WordPress and PHP. That being said, nothing stands even close to WordPress in plugin support, community size,…

Network Switch used by TensorDock. If you will be using this image, it would be greatly appreciated if you could link back to this image or include a snippet of text that links to our company's website.

Exposing your Homelab

6 minutes

In the current lockdown situation, a lot of people are starting to eye up that old desktop machine, or Raspberry Pi they bought for a project and just left on a shelf, and thinking of putting it to use, as a server! Naturally, once you’ve got something set up in…