Forget SMS 2FA authentication – Twitter and others are making it less attractive by either charging for it or phasing it out altogether. But there’s a better alternative if only tech companies were willing to invest. 

By John E. Dunn  

Mention Twitter and two factor authentication (2FA) in the same breath right now and security watchers will immediately think about a puzzling announcement the company made less than two months ago. The gist was that anyone using or adding SMS 2FA to their account would have to buy a subscription to Twitter Blue for $8 per month to continue to use the feature. Charitably, this was probably intended as a nudge to make people upgrade to more secure options such as authentication apps or hardware tokens, which remain free of charge. More likely, people pointed out, its effect will be to encourage some users to stop using 2FA altogether. 

Arguably frustrating for some given the extra step and the delay it creates when logging in, yet for all its failings, SMS 2FA has always had one big feature going for it – it is incredibly easy to use. 

Alternative Authentication 

It’s true that putting a paywall between users and this simplicity is bothersome. Users could use an authentication app instead but that means downloading it, enrolling the app to Twitter, unlocking the app each time with a PIN or fingerprint, switching between apps to get a six-digit code before entering it at each login. 

Or they could buy a FIDO U2F token. They’re easier to use – a simple finger press – but they cost around $30 each, still need to be enrolled, and let’s not forget that you need a second one as a backup in case you lose the other one. 

This is the tension that has thwarted 2FA take-up among consumers from the start. You can have more security, but it’ll probably be less convenient. If you make it too easy – sending one-time passcodes via SMS – hackers will find ways around this using SIM jacking, man-in-the middle attacks, or bogus account resets.   

The massive irony of this debate is that almost nobody uses Twitter 2FA in the first place. According to its own figures from 2021, the percentage of users with at least one 2FA method turned on is a ridiculously low 2.6%. At Google, take-up is better at 10% but that still means 90% have it turned off. 

Frankly, for Twitter, as for so many other big web sites and services, the much-ballyhooed era of 2FA security has been an illusion all along. Most big web platforms turned 2FA on around 2013 and the only people using it a decade later seem to be corporates and expert users.  

The push alternative 

Frustratingly, a possible way out of this 2FA impasse already exists in the form of push notification. The technology is already widely adopted for business MFA and is simple to use. Users download an app and enroll their phones. Each time they log on from then on, a message pops up on their device asking them to authenticate their login with a yes/no.  

The advantage is that the user can authenticate with a single tap, backed by a conventional authentication code in situations where network communication is a problem. 

Admittedly, there are downsides. Push requires companies such as Google, Apple, Microsoft, or a third-party security vendor to act as a notification gateway. There have also been attacks on push notifications such as MFA fatigue which bombard users with rogue push requests until they agree to one to make them stop coming. 

A lot of these issues can be addressed through tweaks such as Microsoft’s number matching push system, or by rate limiting the number of push notifications that can be sent. Push notification apps also now give users more information about requests such as their geo-location and the device they were made from.  

But push notifications have one more trick up their sleeve that deserves to make them every security manager’s best friend. The whole reason 2FA is needed in the first place is that password credentials are incredibly prone to compromise. Once an attacker has these, organizations and individuals become vulnerable to an attempted bypass or social engineering attack at some point.  

Credential compromise is dangerous because admins have no way of knowing it has happened. They know the problem is likely but not when or against whom it will occur. It follows then that rogue notifications are a warning that something is wrong. If your users have been bombarded with multiple push notifications that weren’t from them that’s telling admins to change that user’s credentials immediately. 

As long as admins remember to give their users a channel for reporting suspicious push requests, it’s like having a free password compromise alerting system built into authentication.  

Will Twitter, or any other consumer social networking site adopt push? That seems highly unlikely. Setting up push notification would cost money at a company that seems happier cutting costs at the moment. However, as the industry embarks on the long and probably slow journey towards a password-less future, we could do a lot worse than giving push notifications a closer look.