Project Hyphae

Twitter is Ditching Free SMS MFA, Here’s Why You Should Too

Share This Post

Twitter will soon drop support for SMS Multi-Factor Authentication, whereby users receive a text message with a numeric code to verify their identity, except for users who pay to subscribe to their Twitter Blue service. This has many users upset and considering potentially paying for access to the popular security feature. But I’m here to say you shouldn’t pay for access to SMS MFA. In fact, you should only ever use SMS MFA to protect your other accounts if it is the only multi-factor option available.
In 2020, Microsoft warned against using SMS or voice calls for multi-factor authentication methods. In 2021, Azure dropped support for it altogether. Their reasoning is that one-time passcodes (OTPs) that rely on SMS messages or voice calls are fundamentally insecure because the public phone networks they use to send said OTPs have demonstrable security shortcomings.
Simple hacking techniques like SIM Swapping, where an attacker calls a mobile carrier posing as a customer to request their phone number be ported to a different SIM card, have been present and cleverly evolving for decades. Jack Dorsey, the former CEO of Twitter, was the victim of SIM Swapping in 2019 while using the same MFA method to protect his account that the company will soon charge for. Hacking a user’s online wireless account can allow an attacker to view the victim’s text messages within a web portal. More sophisticated attacks like Signaling System No. 7 (SS7) interception, first seen in 2014, also take advantage of outdated communication protocols to steal OTPs and other data. There’s also the risk of a user’s device being lost or stolen.
Instead of relying on unencrypted protocols designed half a century ago, consider adopting an alternative method of MFA. Free Authenticator apps like Google Authenticator, Okta Verify, or Authy do not rely on your wireless carrier’s reliability or security, and most services with MFA capabilities will support all or some of them, including Twitter. The OTP and any push notifications are tied directly to your phone, regardless of the phone number associated with the SIM. (Twitter also supports security keys that insert into your computer or syncs to your mobile device when you login.) For options that aren’t free, WebAuthn-compliant security options, such as facial recognition software or fingerprint readers, (whether the hardware is onboard or detachable) offer even more enhanced security options.

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.