Viewing a single comment thread. View all comments

kindrudekid t1_je3ihy4 wrote

You can still use 2FA, just not via sms.

TOTP, yubikey etc are still free.

Edit: those down voting me, as I say in my job, RTFM or in this case the entire email/page about this notice.

You can still use authenticator apps and/or security keys for free. Here's how to do it: https://www.theverge.com/23606430/how-to-secure-twitter-account-2fa-without-blue

−26

adreamofhodor t1_je5gvl6 wrote

So Twitter took away a service they offered? Sounds like a bad deal to me.

5

kindrudekid t1_je5nx1s wrote

No they still offer the 2FA service.

Previously they offered it via SMS, TOTP based Authenticator Apps (Google Authenticator, Duo Security, Authy etc) and Security Keys (Yubikey)

SMS based 2FA is weak and been vulnerable for almost a decade now. NIST sent out an official notice back in 2016. Google and Apple phased it out completely too.

So Twitter just disabled the shitter, weaker, more vulnerable SMS based 2FA is not available. Not only is it bad from a InfoSec perspective, it is also a line item in capital expenses from a business perspective.

I do agree that the phrasing from twitter was shitty and instead of asking users to fork over money, they could have guided them to the alternatives.

−1