Twitter recently set in motion a major shift that will affect how most people protect their accounts. The company told nonpaying users that they would soon have to stop using a popular security feature: two-factor authentication through text messages.
Let me explain why this isn’t as bad as you might fear.
In plain speak, two-factor authentication requires two security steps to verify that you are who you say you are. The first step asks for a user name and password, and the second requires you to either enter a temporary code that is sent to you or connect to a physical security key. This way, even if someone has your password, that person will need to fulfill the second step to log in to your account.
Twitter’s announcement of this change was initially confusing and alarming for many. But to be clear, Twitter is pushing users to adopt stronger safeguards — and it has created an opportunity for us all to bite the bullet and improve the security of our online accounts.
Twitter said in a blog post that users who were not subscribers to its Twitter Blue service would no longer be able to use text messages as a form of authentication after March 20. Nonpaying users can switch to different verification techniques with stronger forms of security. The alternatives rely on either using a third-party app to generate a temporary code or plugging in an authorized security key for access to your account.
“Use of free authentication apps for 2FA will remain free and are much more secure than SMS,” Elon Musk, Twitter’s owner, tweeted.
Twitter had a valid point about the flaws in SMS-based authentication, according to Casey Ellis, the chief technology officer of the security firm Bugcrowd. “This actually does make some sense, but it just wasn’t executed in a clean way,” Mr. Ellis said.
But there are downsides to Twitter’s approach, he added. Authentication using text messages has been the simplest security tool for a vast majority of people to use. The other techniques require extra steps to set up.
(Also confusing: Paid Twitter users will still be able to rely on codes sent to them via text messages for logging in — an odd choice if that form of authentication is less secure. Twitter did not immediately respond to a request for comment.)
Switching to the other security methods is not intuitive, so there’s a risk that many nonpaying Twitter users may resort to skipping two-factor authentication altogether.
Amid all this, however, there’s a valuable opportunity to learn about the stronger methods of two-factor authentication — and why we should consider using one of them, whenever possible, instead of SMS-based security for all our online accounts. Here’s what you need to know about each method and its pros and cons.
For many years, Twitter and other sites have encouraged users to set up two-factor authentication through text messages. That method sends a time-sensitive security code to a user’s phone. This has been the most widely used form of two-factor authentication because virtually everyone has a cellphone, so even the least tech savvy person could understand it.
But over time, security researchers have found SMS authentication to be increasingly problematic. A text message containing a security code could be intercepted by someone who has hijacked your phone number — a scam known as SIM swapping. This is how hackers broke into the Twitter account of the company’s former chief executive, Jack Dorsey, in 2019.
There are more issues. A text message is not encrypted, so it can be a security risk to receive texts on foreign networks in countries with heavy surveillance such as China and Russia. Also, if you’re traveling outside the United States, receiving texts on a foreign carrier can be pricey.
Security researchers are continuing to discover new flaws in SMS-based authentication, so we can expect more sites and apps to push users away from receiving codes via text messages, Mr. Ellis said.
This brings us to authenticator apps, which you download onto a phone or computer. They generate temporary security codes (instead of texting them to your phone) that you enter to log in to your online accounts and apps.
Let’s use Twitter and the app Google Authenticator as an example.
First, download the Google Authenticator app onto your phone. Then, on Twitter.com from a computer, click More→Security and Account Access→Two-Factor Authentication→Authentication App.
From here, follow the steps on Twitter. You’ll be asked to use the Authenticator app to scan a QR code with your phone camera, which will link the app with your Twitter account and start generating security codes.
When you log in to Twitter, you’ll enter your user name and password and then open the Authenticator app to find the temporary code.
The big downside to using authenticators is that if you lose your phone or switch to a new one, it can be a pain to regain access to your accounts. Typically a site or app like Twitter will let you regain access to your account with a backup code. In Twitter’s two-factor authentication settings, one menu labeled “backup codes” will generate a code to let you log back in. Make sure to jot this code down and store it in a safe place.
This technique takes some time and mental bandwidth to set up properly and get used to, but it’s better overall. It’s much tougher for someone to hijack your device to see your security codes than it is to intercept a text message.
The third method — the use of a physical security key in the form of a USB stick that you insert into your computer or phone to log in — is the most secure of them all. We’re not likely to see this technique widely adopted because the key costs money, and if you lose your key, it can be difficult to regain access to your account.
Let’s use Twitter and Google’s Titan security key as an example.
First, you have to buy a security key. Google sells its Titan security key for $30; it includes a pair of keys for different types of computers and phones.
Then, on Twitter.com from a computer, click More→Security and Account Access→Two-Factor Authentication→Security Key.
From here, follow Twitter’s instructions, which will walk you through plugging the key into a USB port and pressing a button to verify the key. Twitter will then show a screen with a backup code in case you lose your key. Store it somewhere safe.
Kind of a hassle, no? Still, it may be useful for people who work in highly sensitive fields, like government agencies and activism.
In conclusion, the authenticator app is the two-factor method that is relatively convenient and very secure to use. I recommend most people pick one app, such as Google Authenticator, Authy or Microsoft Authenticator, and stick to it. They all work the same.
It can take some time to set up an authenticator app with all of your online accounts, but you need to do it only once. And in the long run, it might save you time because logging in to sites with this method can be faster than waiting for text messages to arrive.