Twitter Will Finally Let Users Disable SMS as Default 2FA Method

Twitter Will Finally Let Users Disable SMS as Default 2FA Method (zdnet.com) 9

Posted by msmash on Friday November 22, 2019 @12:42PM from the security-woes dept.

Twitter says users will finally be able to disable SMS-based two-factor authentication (2FA) for their accounts, and use an alternative method only, such as a mobile one-time code (OTP) authenticator app or a hardware security key. Until this week, this was impossible. From a report: If users wanted to use 2FA for their Twitter account, they had to register a phone number and enable the SMS-based 2FA method, even if they wished it or not. Users who wanted to use an OTP mobile authenticator app or a hardware security key, had to enable the SMS-based 2FA first, and they couldn't disable it. Even if the user chose to use a security key, the SMS-based 2FA method was still active, and exposed the account to attacks known as SIM swaps. Hackers who knew a user's password would perform a SIM swap to temporarily hijack a user's phone number, bypass SMS-based 2FA, and then take over that user's account.

Twitter Will Finally Let Users Disable SMS as Default 2FA Method

This discussion has been archived. No new comments can be posted.

Load All Comments

Search 9 Comments Log In/Create an Account

Comments Filter:

It only took Jack Dorsey being hacked (Score:1)

by Anonymous Coward writes:

to add such a basic feature!
Don't use it, your now authenticated. (Score:2)

by pgmrdlm ( 1642279 ) writes:

I know, sounds too simple. But hey, it works for me.
Phone number deleted! (Score:2)

by Dixie_Flatline ( 5077 ) writes:

This is great. Now someone get Google to stop pestering me for my phone number. I want as few entities as possible to have it, and security app 2FA has always been better anyway.
- Re: (Score:2)
  
  by smooth wombat ( 796938 ) writes:
  
  2FA sucks. It's nothing but an annoyance which doesn't serve it's intended purpose. The only ones who benefit are the people pushing 2FA because now they have your information and can sell it, or push ads to you.
  - Re: (Score:2)
    
    by Zero__Kelvin ( 151819 ) writes:
    
    You have new idea what 2FA is I'm afraid. 2FA always serves its intended purpose. The problem is that "SMS 2FA" isn't 2FA at all.
Comment removed (Score:4, Insightful)

by account_deleted ( 4530225 ) writes: on Friday November 22, 2019 @01:12PM (#59443388)

Comment removed based on user account deletion

- Re: (Score:2)
  
  by TheRealMindChild ( 743925 ) writes:
  
  I don't know if you have been paying attention, but just about all of the big guys who ever supported something like Yubikey removed support for it and made SMS the only 2FA if you wanted any at all
  - Re: (Score:2)
    
    by bill_mcgonigle ( 4333 ) * writes:
    
    They consider anonymous speech dangerous.
    It's supposed to be.
Great. Now can we get EBay to follow suit? (Score:2)

by grnbrg ( 140964 ) writes:

EBay used to allow TOTP 2FA, but they removed the feature a couple of years ago to "Improve the security of your account.".

:facepalm:

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Twitter Will Finally Let Users Disable SMS as Default 2FA Method (zdnet.com) 9

Twitter Will Finally Let Users Disable SMS as Default 2FA Method More Login

Twitter Will Finally Let Users Disable SMS as Default 2FA Method

It only took Jack Dorsey being hacked (Score:1)

Don't use it, your now authenticated. (Score:2)

Phone number deleted! (Score:2)

Re: (Score:2)

Re: (Score:2)

Comment removed (Score:4, Insightful)

Re: (Score:2)

Re: (Score:2)

Great. Now can we get EBay to follow suit? (Score:2)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot