Twitter recently started a major change that will affect the way most people protect their accounts. The company tells non-paying users that they will soon have to stop using a popular security feature: two-factor authentication via text message.
Let me explain why this isn’t as bad as you might fear.
Simply put, two-factor authentication requires two security steps to verify that you are who you say you are. The first step requires a username and password, the second step requires you to enter a temporary code sent to you or connect to a physical security key. This way, even if someone has your password, that person will need to take a second step to log into your account.
Twitter’s announcement of this change was initially confusing and alarming to many. But it’s clear that Twitter is pushing users to adopt stronger protections — and that has created an opportunity for all of us to take a chance and improve the security of our online accounts. me.
Twitter said in a blog post that users who don’t sign up for their Twitter Blue service won’t be able to use text messages as a form of authentication after March 20. Non-paid users can switch to verification techniques other than those stronger form of security. Alternatives rely on using a third-party app to generate a temporary code or plug in an authorized security key to access your account.
“Using free authenticator apps for 2FA will remain free and much more secure than SMS,” said Elon Musk, owner of Twitter. tweeted.
According to Casey Ellis, chief technology officer of security firm Bugcrowd, Twitter is right when it comes to flaws in SMS-based authentication. “This really makes sense, but it’s not done cleanly,” Mr. Ellis said.
But there are downsides to Twitter’s approach, he added. Authentication by text message is the simplest security tool for the vast majority of people to use. Other techniques require additional steps to set up.
(Also puzzling: Paid Twitter users can still rely on a code sent to them via text message to sign in — an odd choice if that form of authentication is less secure. Twitter hasn’t responded. immediately ask for comment.)
Switching to other security methods isn’t intuitive, so there’s a risk that many non-paying Twitter users might bypass two-factor authentication altogether.
However, in all of this, there is a valuable opportunity to learn about more powerful two-factor authentication methods — and why we should consider using one of them. that, whenever possible, instead of SMS-based security for all of its online accounts. Here’s what you need to know about each method and its pros and cons.
For years, Twitter and other sites have encouraged users to set up two-factor authentication via text messages. That method sends a time-sensitive security code to the user’s phone. This is the most widely used form of two-factor authentication because almost everyone has a mobile phone, so even the least tech-savvy person can understand it.
But over time, security researchers found SMS authentication more and more problematic. Text messages containing security codes can be intercepted by someone who has hijacked your phone number — a scam called swap SIM. Here’s how hackers broke into the Twitter account of the former company executive, Jack Dorsey, in 2019.
There are more problems. Text messages are not encrypted, so it can be a security risk to receive texts on foreign networks in heavily monitored countries like China and Russia. Also, if you are traveling outside of the US, it can be expensive to receive messages from a foreign carrier.
Mr. Ellis said security researchers are continuing to discover new vulnerabilities in SMS-based authentication, so we can expect more websites and apps to prevent users from receiving codes via text message. document.
This brings us to the authentication apps that you download to your phone or computer. They generate a temporary security code (instead of texting to your phone) that you enter to sign in to your accounts and online apps.
Let’s use Twitter and the Google Authenticator app as examples.
First, download the Google Authenticator app on your phone. Then, on Twitter.com from a computer, click Than→Security and account access→Two-factor authentication→Authentication App.
From here, follow the steps on Twitter. You will be asked to use the Authenticator app to scan the QR code with your phone’s camera, which will link the app to your Twitter account and start generating the security code.
When you sign in to Twitter, you’ll enter your username and password, then open the Authenticator app to find a temporary code.
The big downside to using an authenticator is that if you lose your phone or switch to a new phone, you might have a hard time regaining access to your account. Usually, a website or app like Twitter will allow you to regain access to your account with a backup code. In Twitter’s two-factor authentication settings, a menu labeled “backup codes” will generate a code to let you sign in again. Be sure to write down this code and store it in a safe place.
This technique takes some time and mental bandwidth to set up properly and get used to, but it’s better overall. It’s much harder for someone to take over your device to see the security code than it is to intercept text messages.
The third method — using a physical security key in the form of a USB stick that you plug into your computer or phone to sign in — is the safest of the bunch. We’re unlikely to see this technique widely adopted because keys cost money, and if you lose your keys, it can be difficult to regain access to your account.
Let’s use Twitter and Google’s Titan security key as an example.
First, you must purchase a security key. Google sells it Titanium Security Key for 30 dollars; It includes a pair of keys for computers and phones.
Then, on Twitter.com from a computer, click Than→Security and account access→Two-factor authentication→Security key.
From here, follow Twitter’s instructions, which will show you how to plug the key into a USB port and press the button to verify the key. Twitter will then display a screen with a backup code in case you lose your key. Store it in a safe place.
Kind of trouble, right? However, it can be useful for people working in highly sensitive fields, like government agencies and activism.
In short, app authentication is a relatively convenient two-factor method and very secure to use. I recommend most people pick an app, such as Google Authenticator, Authy, or Microsoft Authenticator, and stick with it. All work the same.
It may take some time to set up an authenticator with all your online accounts, but you only need to do it once. And in the long run, it can save you time as logging into websites using this method can be quicker than waiting for a text message to arrive.