Twitter recently released a transparency report about its users’ adoption of two-factor authentication, and the report wasn’t exactly encouraging. Only 2.3 percent of Twitter account had at least one 2FA method enabled, and of those, 79.6 percent had SMS enabled, 30.9 percent had a TOTP application enabled, and 0.5 percent had a security key enabled.
Twitter can’t do much about its users’ apparent lack of interest in enabling 2FA, but it only has itself to blame for the fact that so many 2FA users rely on SMS.
The last time I created a new Twitter account for a specific project I was working on, one of the first things I wanted to do was enable 2FA.
However, it was impossible to enable 2FA without first enabling SMS 2FA. I have no interest in using SMS as a 2FA method, but Twitter insisted I do so anyway.
I suspect that Twitter did this so it could collect my phone number. I cannot imagine any other reason it would not simply let me set up a TOTP app for 2FA out of the gate.
Instead, I had to enable SMS 2FA and confirm that. Then, I was able to add my TOTP application to the account. Finally, I went in and removed the SMS 2FA from the account.
That was a ridiculous number of hoops to jump through and all too common of a 2FA onboarding process across many systems.
Fortunately, Twitter seems to have abandoned that practice, but it is ridiculous that anyone ever thought that an acceptable practice in the first place.
Terence Eden’s essay That’s not how 2FA works is a good primer on how 2FA, for some people, is borderline magic thinking. 2FA is good at protecting against a particular set of attacks such as credential stuffing and brute force attacks, but it is not cybersecurity magic.
Eden points out that 2FA doesn’t help you better identify a site–so it doesn’t protect users from entering their passwords and sending a 2FA token if a phisher gets you to click on reall-bank.com instead of real-bank.com.
However, password managers are good at not falling for fake sites (in addition to allowing users to maintain unique, complex passwords for every site).
The best defence is to use a password manager. I recommend the open source Bit Warden.
A password manager stores your passwords. But it also stores the web address of site’s login page. If you visit githud, the password manager won’t prompt you to use the login details for github.
Defence in depth. Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites.
I’ve been doing a bit of a personal security audit lately, and updating/resetting passwords and adding 2FA wherever I can. One of the things I was pleasantly surprised to see is that DokuWiki made it fairly straightforward to add 2FA to my wiki.
Two Factor Auth (2FA) is a website that lists popular websites and indicates whether or not they support two factor authentication. If they do not, the site provides easy links to click to encourage companies on Twitter or Facebook to add two factor authentication.