You must remove text message two-factor authentication
Last night, just before I went to sleep, I decided to check Twitter. As usual, I opened the app, and the first thing I saw was the screenshot I put above.
First of all, the user experience for this notification is poor. Who approved this copy? It took me a while to understand why I should remove the SMS multi-factor authentication (MFA).
My first thought was, is there anything wrong with my account? Has somebody misused it? But the explanation was so vague and in small fonts that I decided to check the official notification. SMS MFA is the weakest form of multi-factor authentication. I am glad this was the reason they mentioned it in their official notification.
So Is it good or bad? Why would Elon scrap a feature that has been used by almost every organisation actively for a long time?
In short, as one of my friends said — “decision good, announcement copy stupid”
I could write a couple of things, but then I saw the tweet from Troy Hunt and it beautifully summarises the whole thing -
I agree with both points. Putting a price on the weakest form of 2FA and keeping 2 much better alternatives free will drive the users to adopt better methods for multi-factor authentication.
First, let’s talk about why SMS 2FA is the weakest form of multi-form authentication.
- It is vulnerable to SIM Swapping Attacks. (An attacker can take over the phone number by tricking the telecom company into linking that number with his SIM)
- It is vulnerable to SIM duplication attacks. (An attacker can create a copy of the SIM easily using SIM card copying software)
- It is vulnerable to Shoulder Surfing attacks. (An attacker can glance over a user’s shoulder to read the text message)
- It is dependent on the device.
- The One Time Password sent via text has larger validity than the codes in the authenticator apps. Hence, giving an attacker enough time to conduct the attack.
- A SIM card can be easily removed from the device and installed in another phone.
- It is dependent on the phone. Losing the SIM card or phone means locking out of your account.
All the attacks mentioned above can be mitigated by moving to a better multi-factor authentication mechanism — an authenticator app/ hardware tokens/ security keys.
Now to the second point: Making 2FA a premium service is a bad message. I am worried about it.
But why?
It is sending mixed signals.
Remember when Elon Musk tweeted about bitcoins and shook up the prices? Remember when Elon Musk fired half of the company when he became the CEO of Twitter? We are still fearing the implications of this move. Everyone is following this trend, and we have been hearing about layoffs every day.
Elon Musk is an influencer, and his actions unimaginably influence others. He takes bold actions, (sometimes on whims), and everyone would say — if Elon can do it, why can’t we? The decision of scrapping SMS MFA is a good decision but making it a premium availability has some indirect implications. He just created a way for money influx, making users pay for their account security. It might pave a way for other organisations to make security features premium, and make users pay for their data security. With the given market, economy, and pressure from VCs, anything could happen. Anything could happen to make money. And the reasoning would be — If Elon can do it, why can’t we? I am just afraid of this thing. Security should be a feature without the users having to pay for it.
