I love the excuse that they claim SMS 2FA has been "abused by bad actors" but forget that there's certainly a shitload of ways to use virtual TOTP, FIDO2, etc that just mean someone has to change the script and they'll be back in business in no time at all.
Which is the least secure option available among all the others, so if that forces other people to migrate to a better option then at least that's positive. I hope Twitter puts more emphasis on safekeeping the recovery code/backup codes when activating the feature.
I remember awhile ago, maybe 5-8 years back (wow, time) I went to log into Twitter, and was confronted with a dark pattern: enter my phone number to access my account. No other option.
I only used my Twitter account on occasion, and after that, I swore I wouldn’t.
Years later, I decided to log in again, mainly for digital hygiene. No prompt for phone number. Fantastic! I logged in. But then, I realized that there was no email 2FA, nor authenticator app option. Only SMS.
I gave them my number and have logged in a handful of times since.
The Twitter chronicles continue to amuse and annoy me. I’d bet this is the latest in a series of moves to lock down internal KPIs across their funnel, especially following the shutdown of public API.
Edit: this is probably a lot simpler. The rate per SMS has been increasing quite a lot YoY. This is probably just a line item getting trimmed as they, uh, “trim the fat.”
This is a hot take. I’m not suggesting that 2FA sms is secure but the people in high-growth countries (like India) do not normally have smart phones. They do have things like regular flip phones and those are the users you’re willing to give up. These people are also unlikely to be able to pay for 2FA sms. So you’re basically locking these users out of the pipeline. This will raise the security bar and it’s likely he’s doing it because he doesn’t want to have to pay for sms 2FA costs alone but it will stunt his growth potential.
I don't think there is a wide spread usage of 2FA on twitter to begin with. I doubt that the people do it by default anyway in any country. So it is not like they are forced out of twitter (yet, at least) but lets be honest, most of twitter usage is via smart phones and people who accustom themselves without computer can use 2FA app on computer. It is not like they are out of options, that is of course assuming that 2FA is in their mind.
> These people are also unlikely to be able to pay for 2FA sms
I don't think most people anywhere are going to pay for 2FA SMS.
> but it will stunt his growth potential
Elon is clear that he cares about revenue now not growth specifically in a markets without much potential in near-time profits. So this will make more sense for him to do
I don't think that is the case. Chinese smartphones are extremely cheap in India and you will find them in the even the most remote places. Also given how cheap mobile data is as compared to the west, there is a significant benefit in life to own a smartphone and people are generally able to afford it. I have travelled all across India and have yet to see a flip phone in my 2 years.
While I think this is great overall, I think it’s terrible they’re just going to disable 2FA on accounts with no other options come the deadline. They should have just kept it enabled, but force the change on next login (or user interaction) so at least there is _something_ protecting them until the switch can be forced. If the fraud allegations are to be believed, just rate limit the attempts to once an hour and identify the fraud accounts (seems they already have) to take action on.
What they should have done is said SMS-based 2FA would be removed in 3 months, encouraged people to use token-based or physical 2FA with a couple reminders over that time, and left it at that.
14 comments
[ 3.4 ms ] story [ 31.0 ms ] threadI only used my Twitter account on occasion, and after that, I swore I wouldn’t.
Years later, I decided to log in again, mainly for digital hygiene. No prompt for phone number. Fantastic! I logged in. But then, I realized that there was no email 2FA, nor authenticator app option. Only SMS.
I gave them my number and have logged in a handful of times since.
The Twitter chronicles continue to amuse and annoy me. I’d bet this is the latest in a series of moves to lock down internal KPIs across their funnel, especially following the shutdown of public API.
Edit: this is probably a lot simpler. The rate per SMS has been increasing quite a lot YoY. This is probably just a line item getting trimmed as they, uh, “trim the fat.”
I miss old Elon.
> These people are also unlikely to be able to pay for 2FA sms
I don't think most people anywhere are going to pay for 2FA SMS.
> but it will stunt his growth potential
Elon is clear that he cares about revenue now not growth specifically in a markets without much potential in near-time profits. So this will make more sense for him to do
What they should have done is said SMS-based 2FA would be removed in 3 months, encouraged people to use token-based or physical 2FA with a couple reminders over that time, and left it at that.