“Thank you, SMS based 2FA is nowhere near as secure as auth apps”. Also not as reliable as without good cellular connection (SMS do not go through the data channel) you are toast.I wonder what the FTC will say given the consent decree regarding them protecting user information.
I wonder how much this cost them that they chose to do this.
Still, as long as there are free alternatives: who cares.
Most people using 2FA use the text messaging based version, now these people are being told to remove their number from the 2FA account or pay for Twitter Blue.Uhh what's the issue here exactly? Genuine question.
But still better than nothing at all, which is where a lot of people may be when they don’t want to/can’t download an authenticator or bother writing down security keys. If the overall rate of users using 2FA plummets due to this, those factors your mentioned won’t matter much to the FTC.“Thank you, SMS based 2FA is nowhere near as secure as auth apps”. Also not as reliable as without good cellular connection (SMS do not go through the data channel) you are toast.
“Thank you, SMS based 2FA is nowhere near as secure as auth apps”. Also not as reliable as without good cellular connection (SMS do not go through the data channel) you are toast.
Assuming that the average user has the ability to read and can sign in to an online count they should be able to follow the instructions provided for using an Authenticator app. It doesn't require any more technical proficiency than using Twitter itself. Most SMS authentication schemes require you open your SMS app to retrieve an authentication code to provide to the app you're authenticating to. How is opening an Authenticator app to retrieve a code any more technical than opening your SMS app to retrieve one?The point isn't how more effective one solution is compared to another, obviously, it's that Twitter was told to better secure user data end to end. The average user has no fucking idea what a 2FA dedicated app is and isn't technical at all, but they can understand the simplicity of entering a code messaged to their phone. Placing additional burden upon the user would obviously not be something theFCCFTC would be thrilled about.
Assuming that the average user has the ability to read and can sign in to an online count they should be able to follow the instructions provided for using an Authenticator app. It doesn't require any more technical proficiency than using Twitter itself. Most SMS authentication schemes require you open your SMS app to retrieve an authentication code to provide to the app you're authenticating to. How is opening an Authenticator app to retrieve a code any more technical than opening your SMS app to retrieve one?
If the FTC sees this as a reduction in data security then the FTC are absolutely idiots.
While authenticator apps are more convenient, it's always good to have an sms backup. If something happens to your phone your basically fucked, and have to find a way to reset the MFA without logging in.I'd prefer an authenticator app, actually.
Use of a third party authentication app like Google's authenticator app doesn't add additional cost for the user. And it's not more difficult than any other common MFA schemes.Twitter is asking users to seek out a third party to provide the security they themselves should be providing gratis, and as easily as possible.
And as someone who has worked in tech and IT for a long time in many roles, including security, you're giving the average person too much credit.
Use of a third party authentication app like Google's authenticator app doesn't add additional cost for the user. And it's not more difficult than any other common MFA schemes.
I've also worked in software system architecture and data security for nearly 30 years, deploying multiple MFA schemes for many public facing applications. So I feel quite confident in telling you that your concern is misplaced. Authentication apps have been a thing for more than a decade. This isn't springing some new and esoteric technology on the masses. This is a commonly accepted method for providing secure one time passwords for to secure software systems. The entire reason MFA exists is because the average user is a moron.
I dont think anyone at Twitter knows what to do anymore, Musk included. It seems to me after years nobody really knows what they want the platform to be.So can anyone tell me about all these shakeups, is Twitter too big now to affect its numbers that they are doing whatever to it, charging prices for basics?
Or is this just a big fuck up waiting to explode? Like is there an alternative or is Twitter here to stay forever regardless of anything?
I dont think anyone at Twitter knows what to do anymore, Musk included. It seems to me after years nobody really knows what they want the platform to be.
Looks kinda like the animation from samurai jack.
Email link authentication is a common MFA fallback but it is less secure overall since email is one of the most commonly compromised systems people use. It's often impossible to tell if someone unauthorized is accessing it. It's also generally more expensive for companies to use it for MFA compared to SMS. SMS as a third leg fallback in an MFA scheme is reasonable if you lose your authentication keys.While authenticator apps are more convenient, it's always good to have an sms backup. If something happens to your phone your basically fucked, and have to find a way to reset the MFA without logging in.
With SMS fallback you can transfer your number to a new sim and start using using whatever needs MFA. Although i guess email being a fallback wouldn't make sms MFA necassery.
I respectfully disagree. If you're trading on your real identity in a social media setting then you should be primarily responsible for securing your real, valuable information and not trusting it to some company that uses you as their product. App-based authentication is not lessening security of your data. In most ways it's increasing that security because even you can be locked out if you don't possess sufficient means to prove that it is you accessing that data.I didn't mean to suggest they'd cost the user monetarily. But when we're talking about an app like Twitter, in which most people are using on their phones and in many cases trading on their real identities and sharing and storing real, valuable information, the onus should be upon the platform holder to provide security. Twitter is profiting off the user and their information, after all.
It's like in healthcare IT, my current gig, infrastructure and devops but I had to help out when we set up our 2FA solution (cloud provider). I was part of the team that helped setup the infrastructure and solution between on-prem AD and two sites/data centers and Azure. We are expected to provide this to users free of charge, and to make it as easy and careless to use as possible, including down to how robust and easily accessible support is for it (our help desk).
Of course with HIPAA and all we're held to a higher standard, but I see no reason why a company like Twitter shouldn't at least be expected to provide the bare minimum - especially when under consent decree to do so.
While authenticator apps are more convenient, it's always good to have an sms backup. If something happens to your phone your basically fucked, and have to find a way to reset the MFA without logging in.
With SMS fallback you can transfer your number to a new sim and start using using whatever needs MFA. Although i guess email being a fallback wouldn't make sms MFA necassery.
I respectfully disagree. If you're trading on your real identity in a social media setting then you should be primarily responsible for securing your real, valuable information and not trusting it to some company that uses you as their product. App-based authentication is not lessening security of your data. In most ways it's increasing that security because even you can be locked out if you don't possess sufficient means to prove that it is you accessing that data.
I spent 10 years of my career building patient-facing applications for health data management and health insurance claim management. I'm fully versed in HIPAA requirements. I'm currently working in consumer finance tech. In every use case I have provided data security and MFA to users free of charge. I bear the infrastructure costs of services like ADFS, AD B2C and Okta to keep data safe and access secure.
What you're not articulating is how app-based MFA makes security more expensive for users or makes their data less secure. Twitter is not saying they are eliminating data security for people who won't pay. They're saying they're going to stop sending text messages with authentication codes to people and instead will use fast-expiring randomly generated auth tokens instead.
I don't think we're diametrically opposed. I also believe that I am responsible for protecting the data I keep in my systems and I make extraordinary effort to do so. There is normally clear regulation relating to PHI, PCI and PII and the responsibility data system operators have to protect that information. I take that responsibility very seriously. But the data systems that you and I build are not like Twitter.Wow, I hit reply on my post before seeing yours, and it looks like on a philosophical level we're kind of diametrically opposed. And this is interesting, This is now the most interesting conversation I have had on GAF. Cheers man.
But I am going to have to obviously disagree
Edit: basically I feel that it's my duty, as the platform holder, to protect the vulnerable. You place that burden entirely upon them. Interesting.
Twitter is asking users to seek out a third party to provide the security they themselves should be providing gratis, and as easily as possible.
And as someone who has worked in tech and IT for a long time in many roles, including security, you're giving the average person too much credit.
While authenticator apps are more convenient, it's always good to have an sms backup. If something happens to your phone your basically fucked, and have to find a way to reset the MFA without logging in.
With SMS fallback you can transfer your number to a new sim and start using using whatever needs MFA. Although i guess email being a fallback wouldn't make sms MFA necassery.
Twitter is asking users to seek out a third party to provide the security they themselves should be providing gratis, and as easily as possible.
And as someone who has worked in tech and IT for a long time in many roles, including security, you're giving the average person too much credit.
Er, SMS is also using a third party, phone/telco providers and not a secure transmission either. Generally SMS hops many third party networks for each message, all insecure.
No SMS is sent in the clear, unencrypted. Packet sniffing, router hijacking, phone cloning, carrier staff reading customer SMS and many more techniques expose the insecurities of SMS. There are devices out there to literally intercept SMS messages en masse from a local wireless tower.Security is provided at levels higher than the physical and data link layers.
It doesn't matter if a packet travels over electricity in an ethernet cable, then via pulses of light in fiber, and finally via radio waves for wifi, over 900 hops, things like encryption and trust at higher levels provide protection of the data.
This is Twitter, a luxury, not healthcare though.Wow, I hit reply on my post before seeing yours, and it looks like on a philosophical level we're kind of diametrically opposed. And this is interesting, This is now the most interesting conversation I have had on GAF. Cheers man.
But I am going to have to obviously disagree
Edit: basically I feel that it's my duty, as the platform holder, to protect the vulnerable. You place that burden entirely upon them. Interesting.
Edit 2: I see you worked within the confines and restrictions of HIPAA in the past - just remember, it changes and becomes more demanding almost every year. I used to only have to take around three training classes and one test a year to prove I understood how to remain compliant. Now it's like nine courses and three tests.
So can anyone tell me about all these shakeups, is Twitter too big now to affect its numbers that they are doing whatever to it, charging prices for basics?
Or is this just a big fuck up waiting to explode? Like is there an alternative or is Twitter here to stay forever regardless of anything?
Experienced IT guys thinking SMS is encrypted explains why healthcare security is so shit. This is the same industry that until recently had entire networks of patient data in plaintext because it was assumed an attacker couldn't "plug in".No SMS is sent in the clear, unencrypted. Packet sniffing, router hijacking, phone cloning, carrier staff reading customer SMS and many more techniques expose the insecurities of SMS. There are devices out there to literally intercept SMS messages en masse from a local wireless tower.
Auth apps are secure, end to end.