Security
Headlines
HeadlinesLatestCVEs

Headline

Twitter’s SMS Two-Factor Authentication Is Melting Down

Problems with the important security feature may be some of the first signs that Elon Musk’s social network is fraying at the edges.

Wired
#web#google#auth

Following two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don’t come or they’re delayed by hours.

The glitchy SMS two-factor codes mean that users could get locked out of their accounts and lose control of them. They could also find themselves unable to make changes to their security settings or download their data using Twitter’s access feature. The situation also provides an early hint that troubles within Twitter’s infrastructure are bubbling to the surface.

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twiter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter’s offerings and build new features per new owner Elon Musk’s agenda.

Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Meanwhile, Musk has said publicly that he is directing staff to disable some portions of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he tweeted this morning. “Less than 20 percent are actually needed for Twitter to work!”

Twitter’s communications department, which reportedly no longer exists, did not return WIRED’s request for comment about problems with SMS two-factor authentication codes. Musk did not reply to a tweet requesting comment.

“Temporary outage of multifactor authentication could have the effect of locking people out of their accounts. But the even more concerning worry is that it will encourage users to just disable multifactor authentication altogether, which makes them less safe,” says Kenneth White, codirector of the Open Crypto Audit Project and a longtime security engineer. “It’s hard to say exactly what caused the issue that so many people are reporting, but it certainly could result from large-scale changes to the web services that have been announced."

SMS texts are not the most secure way to receive authentication codes, but many people rely on the mechanism, and security researchers agree that it’s better than nothing. As a result, even intermittent or sporadic outages are problematic for users and could put them at risk.

Twitter’s SMS authentication code delivery system has repeatedly had stability issues over the years. In August 2020, for example, Twitter Support tweeted, “We’re looking into account verification codes not being delivered via SMS text or phone call. Sorry for the inconvenience, and we’ll keep you updated as we continue our work to fix this.” Three days later, the company added, “We have more work to do with fixing verification code delivery, but we’re making progress. We’re sorry for the frustration this has caused and appreciate your patience while we keep working on this. We hope to have it sorted soon for those of you who aren’t receiving a code.”

That the issue seems to be recurring now indicates, perhaps, that systems Twitter has long struggled to maintain are among the first to destabilize without adequate maintenance and support. Current and former employees have painted a picture of Twitter as having convoluted and brittle technical infrastructure. Meanwhile, Musk’s revisions to Twitter’s “blue check” account-authentication policies have led to rampant scams on the site and even more extensive content moderation issues than existed under previous leadership.

If you haven’t already, switch to an app for generating your multifactor authentication codes, such as Google Authenticator. On Twitter go to “Settings and Support,” tap “Settings and privacy,” then “Security and account access,” “Security,” and then “Two-factor authentication.” Disable “Text message” if you have it in and instead toggle “Authentication app” and follow the instructions for adding Twitter to your authentication app. Or if you prefer to use a physical authentication token, turn on “Security key.”

For users who can’t receive their SMS two-factor codes, though, questions about whether Twitter is in decline or what could be coming next are moot—the site already feels broken.

“It’s hugely problematic to require 2FA for something and not be able to fulfill it for authentication, whether it’s SMS or anything else,” says Jim Fenton, an independent identity privacy and security consultant. “It’s problematic, because it’s denying service to Twitter users.”

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist