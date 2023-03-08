



In just two weeks, Twitter’s ban on SMS two-factor authentication for non-subscribers came into effect, and the majority of the security community condemned the move.

Twitter CEO Elon Musk has championed the move as a way to keep users more secure, but most leaders have not embraced it.

Andrew Shikiar, executive director of the FIDO Alliance, told SC Media that from a purely pragmatic point of view, this is basically the minimum threshold for 2FA as a viable or easy alternative. Says stripping without.

SMS OTP enhances password-only accounts while still having the advantage of being easy to use and not requiring the user to set up an authenticator. However, this tool has many drawbacks. Increased attack surface, possibility of spoofing, code being sent in plain text, to name a few.

Twitter’s decision to ban authenticators without payment has led to outright ridicule on its own platform, with many calling it a potential holiday for hackers.

Not only is it less safe for users, but it’s unnecessary, Shikiar said. Just because there might be a business model hiding behind the guise of innovation behind it doesn’t make it the most cost-effective model. Standardizing would be a better example of a shift that actually cuts costs.

While the list of possible negative impacts of this controversial move is considerable, there are also some positives. That is, the company is working to keep users away from her SMS one-time her password authentication.

However, Shikiar explained that no one is defending OTP’s inherent vulnerabilities because OTP is a dangerous authenticator that doesn’t really prevent account takeovers.

If Twitter had announced a secondary solution or educated users about viable alternatives, this transition would be less controversial, and users’ security would be protected in full. would have supported Musks’ claim that it was intended to Growing financial difficulties facing the company.

But for mainstream consumers, SMS OTP is better than passwords alone and can stop most attacks, Shikiar said. SMS OTP isn’t good enough for everyone, but it has the advantage of being ubiquitous. So basically anyone can use this tool to increase the security of their account. After March 20th, your account will be password protected only.

Not all users will have security keys or download personal OTPs when the SMS OTP ban goes into effect without understanding the need and capabilities of alternatives, Shikiar said. explained. This ban essentially reduces the number of users using 2FA to access their accounts.

What approach would Twitter take to replace 2FA?

Twitter and other companies considering similar security shifts for users will detail the reasons for the change and the more secure options users can and should use to keep their accounts secure. would have needed

For example, the use of passkeys to support mobile users accompanies the ban on SMS OTP. As Shikiar sees it, Twitter could have told users to remove her OTP and educated them about the more secure passkeys built into Android and iOS devices.

Otherwise, Twitter’s move is a missed opportunity, Shikiar said. Passkeys are inexpensive, and a good passkey is the primary unphishable element of user authentication. Using an authenticator greatly simplifies the user experience.

Using passkeys also helped the company save money and keep users safe. It’s not pretty, but it’s functional, says Siquier. “Twitter can also use this transition to educate users on how to use passkeys, which for me was a much better approach.

By using passkeys, businesses have a ready-to-use authentication method for consumers. This is a whole new paradigm, he continued. We need to rethink how we look at authentication, with all the different layers that are essentially band-aids to flawed first-factor authentication.

Another alternative, shared by Apple software engineer Ricky Mondello, is to provide users with an email OTP in a gradual progression, before the final step to passkeys, to slowly transition users to another authentication method. That was it. In this way, Twitter could have leveraged the functionality built into mobile devices with a little engineering.

In a personal blog post, Mondello reaffirmed the real issue of SMS costs and fraud. During his tenure in the industry, Mondello has seen several organizations trying to reduce the cost of sending text messages.

But none of those companies chose to charge for the privilege, they write, especially after it was a basic feature of the service. Twitter would move to the heart of most of its security risks, using passkeys instead of passwords.

The first factor, Siquier said, is the password. That’s why we need 2FA and multifactor. Also, removing passwords as a major factor suddenly changes the conversation.

Industry or large consumer service providers should embrace and celebrate the benefits of this superior forms authentication,” he continued. In my opinion, there is no doubt that this is happening. General consumer authentication.

