Few Twitter Users Enable 2FA; Those Who Do Overwhelmingly Stop at SMS

Twitter recently released a transparency report about its users’ adoption of two-factor authentication, and the report wasn’t exactly encouraging. Only 2.3 percent of Twitter account had at least one 2FA method enabled, and of those, 79.6 percent had SMS enabled, 30.9 percent had a TOTP application enabled, and 0.5 percent had a security key enabled.

Twitter can’t do much about its users’ apparent lack of interest in enabling 2FA, but it only has itself to blame for the fact that so many 2FA users rely on SMS.

The last time I created a new Twitter account for a specific project I was working on, one of the first things I wanted to do was enable 2FA.

However, it was impossible to enable 2FA without first enabling SMS 2FA. I have no interest in using SMS as a 2FA method, but Twitter insisted I do so anyway.

I suspect that Twitter did this so it could collect my phone number. I cannot imagine any other reason it would not simply let me set up a TOTP app for 2FA out of the gate.

Instead, I had to enable SMS 2FA and confirm that. Then, I was able to add my TOTP application to the account. Finally, I went in and removed the SMS 2FA from the account.

That was a ridiculous number of hoops to jump through and all too common of a 2FA onboarding process across many systems.

Fortunately, Twitter seems to have abandoned that practice, but it is ridiculous that anyone ever thought that an acceptable practice in the first place.

The Other Benefit of Using A Password Manager

Terence Eden’s essay That’s not how 2FA works is a good primer on how 2FA, for some people, is borderline magic thinking. 2FA is good at protecting against a particular set of attacks such as credential stuffing and brute force attacks, but it is not cybersecurity magic.

Eden points out that 2FA doesn’t help you better identify a site–so it doesn’t protect users from entering their passwords and sending a 2FA token if a phisher gets you to click on reall-bank.com instead of real-bank.com.

However, password managers are good at not falling for fake sites (in addition to allowing users to maintain unique, complex passwords for every site).

The best defence is to use a password manager. I recommend the open source Bit Warden.

A password manager stores your passwords. But it also stores the web address of site’s login page. If you visit githud, the password manager won’t prompt you to use the login details for github.

Defence in depth. Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites.

Twitter Finally Allow Users To Use 2FA Without Enabling SMS

This took them a ridiculously long time to implement, but I guess better late than never is still a thing.

Enabling 2FA in DokuWiki

I’ve been doing a bit of a personal security audit lately, and updating/resetting passwords and adding 2FA wherever I can. One of the things I was pleasantly surprised to see is that DokuWiki made it fairly straightforward to add 2FA to my wiki.

The work to enable this was done by plugin developer Michael Wilmes, and involved installing a number of plugins that Wilmes developed.

  1. First, using the DokuWiki extension manager, install the Attribute plugin.
  2. Next, install the Two Factor Authentication – Core Plugin. As the title suggests, this installs a 2FA framework within DokuWiki.
  3. Finally, install any of the five 2FA modules. There are ones for email, an alternate email, Google Authenticator, and SMS.

I was only interested in the Google Authenticator plugin module. After installing it, it worked like a charm. My login page now looks like this, and will not let me login without the 2FA code:

DokuWiki 2FA-enabled Login Page
DokuWiki 2FA-enabled Login Page