Twitter has been in the news again, and this time because of security. The company has announced that it will only allow its users to secure their accounts with SMS-based two-factor authentication (2FA) if they pay for a Twitter Blue subscription. This surprised a number of people (eg, Davey Winder here in Forbes) because in 2023 no-one should be using SMS for “security” in any circumstances: Not banks, not fintechs, not payment companies, not governments, not Twitter, not anyone.
SMS Is Not Security
SMS was deprecated as an authentication method by the US Department of Commerce’s National Institute of Standards and Technology (NIST) back in July 2016 when they said that SMS is deprecated, and will no longer be allowed in future releases of this guidance. Therefore it seems to me that we should by now have stopped using the phrase “SMS security” completely! Charles Brookson, then the head of the security group at the mobile operators’ association (the GSMA), made this point 15 years ago. I was there. He gave a talk about the use of SMS for mobile banking and payment services and made the point that SMS has, to all intents and purposes, no security whatsoever. Yet as of today, the default 2FA option for all kinds of fintech services remains SMS.
So why is anyone still using SMS for 2FA? A couple of years ago, the well-known security researcher Brian Krebs said that we should stop treating mobile phone numbers as identifiers (for which they were never intended) and avoid selecting SMS or phone calls for 2FA or one-time codes. He was right. Yet SMS 2FA is at the heart of the “SIM swap” frauds that continue to plague both traditional financial services and cryptocurrencies.
In a SIM (Subscriber Identity Module) swap attack, fraudsters convince their target’s mobile operator to move the target’s phone number from the SIM card inside the target’s handset to the SIM card inside the criminal’s handset. The criminal can then pose as the target and have service providers (eg, cryptocurrency wallets) send password reset links or authentication codes to the criminal’s handset. It is far too easy to do this. When Princeton University researchers made 50 total attempts to have employees at five different mobile service providers (ten attempts per provider) complete SIM swaps that shouldn’t have been authorised they were successful in pulling off the scam 39 of those 50 times, and in many cases were only asked to provide the simplest authentication details.
(To give just one example, in December last year a chap from Florida was sentenced to 18 months in prison for his involvement in a SIM swap attack that allowed fraudsters to transfer roughly $24 million in cryptocurrency from cryptocurrency investor Michael Terpin.)
Bye SMS, Hello Passkeys
I can’t wait for the death of SMS 2FA. Hopefully it won’t be too long. The password manager that I use, 1Password, is going all-in on “passkeys” starting this summer, as more services move towards passwordless logins. Passkeys is the new standard for such passwordless logins, using the FIDO Alliance’s standard, and their growing use follows Google, Microsoft and Apple’s decision to support passkeys. Apple introduced Passkeys at WWDC last year and Google will support them on Android 14, which is expected to be released later this year.
I had never bothered turning on 2FA for my Twitter account until I saw Mr. Musk’s announcement about charging for SMS 2FA, at which point I did wonder why it is that, as Rolling Stone’s headline on the subject said, “Twitter to Allow Only Blue Subscribers to Use Worst Form of Authentication”. But his announcement did make me think about the security of Twitter account. So I logged in right away and turned on 2FA using Google Authenticator. Now I feel better and so does my wallet.