Twitter is Turning Off 2FA Over SMS for Most Users. Here’s a Better Option.

Reading Time: 5 minutes.

The twitter logo with an open lock on itTwo-factor authentication, or 2FA, is likely the most important security measure you can get right now. It bases security on, well, two factors. The first is something you know, your password. The second is something you have, a device of some sort. There are a few ways to do it, and none are quite perfect yet. However, there is one way that, while better than nothing, isn’t too great, and that’s SMS-based authentication. This sends you a text message with a temporary passcode when logging in. Due to sim swap attacks, which ask your carrier to push SMS messages to a new SIM card, something they’re all too happy to do, a targeted attack when a person knows your phone number and login information is incredibly easy.

There are two other methods you can use to secure your accounts with 2FA without using your cell number. You can also sturdy your account against sim swap attacks. The first method, the one that’s right for most people, is an authentication service. The second is a 2FA key. Either one will be more protective than SMS alone.

Twitter has announced that only Twitter Blue users will be able to continue to use SMS 2FA on their Twitter accounts. They found that most 2FA users had a phone number set up instead of an authentication app so they decided to charge for it. However, it’s the worst method for securing your account. In fact, former Twitter CEO Jack Dorsey once fell victim to a SIM swap attack, so Twitter knows all about this bottom-rung security measure. So, if you’re not willing to delete your Twitter account (the better option), you can at least secure it better… and for free!

App-Based Authenticator: Authy

Screenshot of Authy’s website.

Authy is my favorite suggestion for security. Many people will suggest Google Authenticator, but do you want Google knowing all of your accounts? Even if they don’t have access to your authentication codes, they will likely know every single account that’s tied to you across platforms. For Google, that’s perfect for tracking you anywhere you go online. The app is tough to port to other devices, back up, and lacks bioauthentication to open the app, like Face ID or a fingerprint. That takes 2FA into 3FA territory, something you have, something you know, and something you are. If you want security and privacy, you can check out a company that is focused on providing just that, without Google’s interference.

Setting Up Authy

Authy has their own setup guide, which is pretty easy to follow. The gist? Get the app. Set up your account. Enable a passcode for the app as well as biometric security like Face ID, Touch ID, or Android’s equivalents. Then just add accounts. Authy has a guide to walk you through how to add 2FA to most of your accounts, but it’s quite easy and most are the same. It’s usually just a matter of finding the 2FA option in your account settings and adding it to Authy.

You can add any accounts that feature authenticator-based 2FA, even if the account says it only supports Google Authenticator. Usually this just means scanning a QR code and entering the 6-digit passcode from the app, though it may include typing in a recovery key, for times the QR code may not work. You can use this across your devices, though it may be more secure if you only place it on one or two, so you don’t have too many “keys” for potential theft targets. I recommend setting it up on your phone and perhaps your personal computer, a tablet, or an old device you may be able to hide or lock up somewhere.

Extra security always seems tricky, but Authy makes it easier than even checking your messaging app for a text message. Just search the service you need a code for, tap the icon, and copy the code. Authy makes 2FA easy and more secure than using text messages.

Using a Security Key

Don’t want to use an app at all? This would be my favorite option, if I had found a security key that can do everything I want it to do. Yubico has a few USB-C based security keys, but there’s no one key to rule them all. No key that has USB-C, NFC, and a fingerprint sensor for bioauthentication. I wouldn’t even need NFC if not for the fact that Apple is a backwards company still making iPhones with Lightning ports, but that’s another story. I hate the idea of a key that can be the 2FA for every one of your accounts without being properly locked to your biometrics. “Lose” your key? Congrats, if the thief knew what they were doing and has your passwords, they have all of your accounts. Still, security keys are a promising technology, and some people may prefer it to typing in 6-digit codes.

This setup may not work for all accounts, so I still recommend having Authy as a fallback, and SMS as a fallback for accounts that do not allow authentication with an authenticator app. It’ll also be different for each of your accounts and the type of key, but the practice will largely be the same. You’ll choose to set up your 2FA with a security key, then plug in your key. You may need to use your fingerprint to unlock it, and you will likely be prompted to add a second key to ensure you have a backup. As for what key you should go with, Yubikco’s keys are among the most popular in the industry. You can also check out keys from Kensington. The key you’ll want to look for will have FIDO2 support, minimally.

As I haven’t had the chance to try these out, my suggestions come mostly from other reviewers. The Yubico keys seem to be the most popular in the industry. Apple even sometimes carries them, when they’re in stock. However, my primary suggestion, currently, is still Authy combined with biometric security on the app itself.

Strengthening Your SMS-Based Security

Of course, the whole reason you have to use other forms of security is because SMS-based 2FA isn’t great. It’s too easy for a hacker to either use “social engineering” (believable lying) to get your cell service provider to add another SIM to your account or steal your number so they can intercept your text messages. They could also simply text you, asking for you to send them security codes. Never send a security code over text message and only enter it on websites where you specifically requested a 2FA passcode. Never a site you got to via a link from an email or other unverified location. Still, a targeted man-in-the-middle attack means that even being careful with SMS, you still won’t have a perfect situation.

Another thing you can do is set up a pin on your account. Here are a few ways on Verizon, AT&T, and T-Mobile. Someone trying to steal your phone number or copy it to their own phone will have to know the pin to do so. Make sure it’s a pin you’re not using elsewhere. Also make sure you use coded answers for your security questions. Don’t answer them honestly. Store fake answers in a password manager like 1Password or an encrypted drive. Security questions are a horrible form of security, as are four-digit passcodes, but it’s all cell service providers usually give users. The process will be different for each provider, so log on to your account and check your security settings. Add a pin if you can. Other than that, ensure you’re using a unique password for your cell service provider.

Use a Password Manager

While the rest of these have been for 2FA, you may want to also consider strengthening your first line of defense: your password. You should be using a password manager to store your passwords. I highly recommend 1Password, and have no other recommendations to give you outside of one: Do Not Use LastPass. LastPass is rather popular, but it’s had more breaches than I can remember. A breach in a password manager means you have to change every one of your passwords. Just don’t do it. Use 1Password, it’s far more secure and more frequently trusted by large companies for their security.

A password manager allows you to generate a randomized password for each of your accounts. This prevents password reuse, so if your Twitter account is hacked you also won’t be giving away your bank account password. You can also set exceedingly long passwords that are hard if not impossible to crack with password guessing algorithms. By using a password manager and a strong 2FA solution, you can make your accounts secure from all but the very best and most targeted hackers. Unless you’ve got a target on your back because you’re a high-ranking government employee, these measures will keep you safe.

 

Secure your password and back it up with a second layer of defense. Definitely don’t pay Twitter just to use the worst form of 2FA. You’re better than that, and your security should be too.

 

,