Two-factor authentication or multi-factor authentication – although not the end all be all to account security – have emerged as an effective way of safeguarding sensitive accounts since an attacker would need access to an email address, mobile phone or authenticator app in addition to your credentials.
With several notable high-profile Twitter accounts being compromised recently, the company is urging users to adopt some form of two-factor authentication (2FA), but only 2.3% did so between July 2020 and December 2020, according to a transparency report the social media company released last week.
Despite that alarmingly low percentage, there was actually a 9.1% increase in 2FA adoption over that period.
Although that increase is encouraging, the overwhelming favorite form of 2FA among Twitter users is SMS, which is the least secure method of 2FA out there. However, 30.9% of Twitter users employ an authenticator app, and just 0.5% use a security key.
The company recently gave users the option to use security keys as their only form of 2FA.
Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter.
Why SMS 2FA Is Not Safe
If end users in your organization use SMS as a form of multi-factor authentication, please tell them kindly to stop doing that.
According to most cybersecurity professionals, intercepting an authentication code sent via SMS to a mobile phone is fairly easy.
Cybersecurity firm Kaspersky says bad actors can simply sneak a peek at passwords if lock-screen notifications are on, steal a SIM card and get access to SMS messages with passwords, implant malware into a phone to steal codes and intercept SMS messages by exploiting a flaw in the SS7 protocol.
Microsoft is also urging customers to move away from SMS and voice-based authentication methods since they are based on publicly switched telephone networks and aren’t encrypted.
Even Twitter itself says SMS-based 2FA is the least secure form of additional authentication. The social media giant ranked authenticator apps and security keys ahead of SMS, with security keys in front.
Take Twitter’s advice and implement authentication apps or security keys in your organization.