As posted on Twitter’s 2-factor authentication has a serious problem
Adding an extra layer of security to your online accounts is a fundamental step to protect your digital life from hackers, but what’s the point if the new methods are just as vulnerable as the old ones?
It’s a question some Twitter users are asking after discovering that the two-factor authentication on their accounts isn’t as secure as it seems.
But let’s back up for a second. No matter who you are, having your Twitter hacked would be a major bummer. In the case of political figures like Donald Trump, however, a hijacked account means more than just a headache — think of the havoc a fake policy pronouncement could wreak?
And so it was welcome news back in 2013 when Twitter rolled out two-factor authentication (2FA) to all of its users. This added layer of security allows users to protect their accounts, even if their passwords had been stolen, by requiring a second login credential sent via text message.
Great, right? Well, kinda.
While SMS-based 2FA does provide additional protection, there’s a big problem with it. Namely, SMS itself isn’t secure. A flaw in what is known as Signaling System 7 protocol (SS7) — something that allows different phone carriers to communicate back and forth — means that hackers can redirect texts to practically any number they want.
That means your SMS verification code could end up being sent directly to the cellphone of your hacker.
And this is not just theoretical. In January, reports Ars Technica, a group of criminals exploited this flaw to snatch victims’ SMS 2FA verification codes and drain their bank accounts.
So, with text-based 2FA known to have a security hole so large you could drive a truck through it, Twitter helpfully introduced additional ways to set up 2FA. Users who already have access to their accounts via the Twitter mobile app can use something called a login code generator, but as this requires already being logged in on mobile, it doesn’t help if you’re signed out.
The other method, a 3rd-party authenticator app, offers a better option. These apps, like Google Authenticator, generate a number sequence on your phone as your verification code — no vulnerable text message required.
Problem solved, right?
Not so fast. Because here’s the thing, even with an authenticator app enabled Twitter still sends out SMS verification codes. That’s right, the people that have taken the extra step to secure their Twitter accounts with an authenticator app — arguably the people most concerned about having their accounts hacked — are still just as vulnerable as those who rely on SMS-based verification codes.
And this has not gone unnoticed.
If you enable Authy, they still send and accept SMS for the 2FA.
— Joe (@sudoJoeBear) June 2, 2017
Users are rightly wondering what’s the point of having a 3rd-party authenticator app set up if Twitter still sends out text messages with the codes.
Twitter, for its part, is staying silent on the matter.
We reached out to the company and exchanged multiple emails with numerous employees who all categorically refused to explain if there was any way to disable SMS-based 2FA verification codes while maintaining a 3rd-party authenticator app, as well as why that would be the case.
One spokesperson simply responded the company had “nothing to share on our 2FA beyond what’s in our help center.” To be clear, the help center does not address this issue.
What about just deleting your phone number from your Twitter account? Then it can’t send you texts, right? Go ahead, but then you can no longer use the 3rd-party authenticator app.
The company, through spokespersons, also refused to comment on the SS7 exploit rendering SMS vulnerable to hackers.
Why this matters
For the average Twitter user, a text message-based verification code — despite its flaws — is a great added layer of security. However, as demonstrated by the criminals that emptied bank accounts in January, a determined hacker can bypass this security measure.
And maybe this is just a bug affecting some users’ accounts, and not each and every one of Twitter’s users with 3rd-party 2FA apps. Twitter’s refusal to discuss the matter, however, means we don’t know.
For you and me, this might not be that big of a deal at the end of the day. For celebrities, politicians, and members of the Silicon Valley elite? Well, that’s a different matter — and it’s one that Twitter should quickly address.