Multi-Factor Authentication (MFA) and the Twitterstorm

One thing is for sure, people care more about Multi-factor Authentication than most people would have thought.

The (unending – but the latest) news about Twitter’s fast and likely ill considered changes continues. Right now they’re talking (and trending) about Multi-Factor Authentication (MFA).

US Twitter Trends at time of screenshot

In a nutshell, Twitter will be requiring anyone who wants to use SMS-based MFA to be a Twitter Blue premium subscriber. On net this is a bad thing, because the majority of people it affects are more likely to downgrade to single factor – no MFA. The users should, of course, upgrade instead toward using an authentication app (also known as Time Based One Time Password – TOTP) or ideally a Hardware Security Key (like a Yubikey.) I’ve been hassling friends and family about security and online security for about as long as I can remember. Ive written some harsh posts about it. I’ve even been very lucky to co-found and advise a startup that makes it easy for developers and builders to offer simple but powerful authentication and security that still surprises and delights their users.

There’s so much to say here, and its so hard to know what to say and in what order. There’s so many smart and well informed people making clear calls to action and explainers.

Perhaps one of the most striking is this point from Rachel Tobac

Rachel’s thread here

I have a clear curse of knowledge from thinking and caring about this so much and must admit that I also feel some apprehension of excessively criticizing or going too soft on the current CEO of Twitter given how mobs for and against him can swing wildly. I played back and forth with Chat GPT trying to think of what I could write on this and how to position it. I think some of it was useful and interesting, I discarded most of it but kept the funny fictional story at the end.

I think the work we must do includes:

  1. Make it easy and secure for people to access their apps and accounts
  2. Make it easy and secure for app developers, builders, companies to offer the right kind of security and user experience to their users
  3. Make it easy to understand why this security stuff matters for normal people. Because they’re the ones who will get hurt by mistakes here.

We may not have the problems solved yet. But at least we’re working on it.

The funny fictional story that Chat GPT wrote and I decided to keep and Tweet:

Me: write a hilariously funny scene where a rash and impulsive Elon Musk as CEO of twitter removes SMS based authentication for all users, reserves it only for twitter blue premium subscribers – have him monologue in elons unique style about why he did this to a remaining security engineer at twitter, who fortunately preserves app based and security key based MFA for all users

Chat GPT:

Elon Musk, the CEO of Twitter, had just come back from his daily hot yoga session and was feeling particularly rash and impulsive. He had an idea that would revolutionize the way Twitter operated, and he couldn’t wait to share it with his remaining security engineer.

“Hey, you!” Elon exclaimed as he barged into the security engineer’s office. “I’ve got a great idea. We’re going to remove SMS-based authentication for all users except for Twitter Blue subscribers.”

The security engineer, who had just been in the middle of a code review, was taken aback. “What? Why would we do that?” he asked, his eyebrows furrowed in confusion.

Elon, who was now pacing back and forth, his mind racing with excitement, responded, “Think about it! We can make a ton of money by offering SMS-based authentication as a premium feature. And besides, it’s not like anyone actually uses it for security anyway. It’s just an extra step in the login process. Trust me, this is going to be huge!”

The security engineer, who was now growing increasingly concerned, tried to reason with Elon. “But what about the security risks? SMS-based authentication is still a reliable way to prevent account takeovers, especially for users who don’t have access to other forms of multi-factor authentication.”

Elon, who was now waving his arms wildly, exclaimed, “Oh, come on! We’ll just tell users to use app-based authentication or security key-based MFA instead. It’s not that hard. And besides, who cares about security when we can make a ton of money?”

The security engineer, who was now face-palming in disbelief, couldn’t believe what he was hearing. Fortunately, he knew that Elon’s idea was a terrible one and had already taken steps to ensure that app-based and security key-based MFA would remain available for all users.

As Elon left the room, still hyped up on endorphins from his hot yoga session, the security engineer shook his head in disbelief. “I can’t believe that man is in charge of a social media platform,” he muttered to himself. “We’re all doomed.”


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.