Twitter No Longer Wants a Phone Number for 2FAChange Means Increased Privacy and Security for Users
Twitter users no longer have to supply a phone number to use two-step verification for authentication.
The move, announced Thursday, will help better protect accounts that may be targeted by so-called SIM swapping or hijacking attacks, in which attackers take control of a target's phone number and then intercept all two-factor codes that get sent to it.
The change will also enable users to maintain better security without divulging more information to Twitter. Previously, the "microblogging" service got called out for using phone numbers it had collected for targeted advertising. For privacy-conscious users who want 2FA, not divulging their phone number to Twitter also means that it cannot be accessed by authorities via legal requests.
We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enrol in 2FA without a phone number. https://t.co/AxVB4QWFA1— Twitter Safety (@TwitterSafety) November 21, 2019
News of the 2FA shift comes as Twitter is pursuing a number of security improvements, including attempting to not just improve user-level security but also to reduce the number of fake accounts and make the social network less hospitable for disinformation campaigns.
One recent victim of SIM hijacking was none other than Twitter CEO Jack Dorsey. On Aug. 31, his Twitter account began posting racist and profane tweets, including a retweet of a post by a Holocaust denier, as well as a - thankfully bogus - bomb threat at Twitter's San Francisco headquarters (see Hey Jack, How Was Your Account Hacked?).
Twitter said the phone number associated with Dorsey's account "was compromised due to a security oversight by the mobile provider" and that the attack did not extend to its internal systems.
Phone Number, Please
Since 2016, the U.S. National Institute of Standards and Technology has recommended never sending two-factor codes via SMS. Despite such advice, however, many online services still offer an SMS delivery option for 2FA codes.
Twitter, however, began supporting third-party authentication apps in December 2017 and now supports such options as Google Authenticator, Authy, Duo Mobile and 1Password. Users can also use hardware keys, such as a Yubikey, to provide a second factor for authentication.
Using apps for two-factor verification is safer than receiving a one-time access code via SMS. Apps locally generate their own code, meaning it doesn't get sent over the air and thus is tough to intercept or steal. Previously, however, even if users opted for non-SMS two-factor codes, Twitter still required users to supply a phone number.
In early October, however, Twitter admitted that phone numbers it had gathered for security purposes were also being used for targeted advertising campaigns. Twitter said such usage was inadvertent and apologized (see: Twitter Apologizes for Repurposing Phone Numbers).
Twitter says the phone numbers got used as part of its Tailored Audiences advertising program. Companies can upload customer lists to Twitter, with all information getting hashed. Twitter compares the submitted hash with hashes of its user base data to find matches that offer more precise ad placement. Neither side, however, sees plaintext data of what information the other side has.
This isn't the first time security information has been repurposed by a social network for advertising purposes. In July, Facebook got hit with a $5 billion fine by the U.S Federal Trade Commission for a range of privacy and security failings, including using phone numbers provided for security for targeted advertising. Regulators said Facebook's choice to reuse the data could have been considered a secondary use of such data, which may conflict with privacy principles.
Twitter Move Minimizes Collected User Data
Twitter's previous requirement that users submit a phone number if they wanted better security controls also carried a big drawback for users who wanted to stay more private.
"Even if you carefully avoid giving Twitter your identifying information, and even if you access the service only over Tor or a VPN if you enable SMS 2FA, Twitter will necessarily have a record of your mobile number," the Electronic Frontier Foundation writes in its Surveillance Self-Defense Guide. "That means that, if compelled by a court, Twitter can link your account to you via your phone number."
Stealing Phone Numbers
The risk of sending 2FA codes via SMS has been well documented, given that such codes can be stolen by any malware running on the device, or intercepted if the phone number gets stolen. Such SIM swapping or hijacking attacks involve targeting victims and tricking their telecommunication providers to port a number to a new SIM or send out a new one (see: Gone in 15 Minutes: Australia's Phone Number Theft Problem).
Phone number theft relies on attackers' ability to socially engineer customer service representatives, although some attacks have been executed with help of corrupt employees. In May, the Department of Justice announced charges against nine men in connection with an alleged SIM swapping scheme that targeted cryptocurrency users (see: Alleged SIM Swappers Charged Over Cryptocurrency Thefts).
Three of the men were former employees of mobile operators Verizon and AT&T. Prosecutors allege that the scheme led to the theft of $2.4 million in cryptocurrency. SIM swappers often target cryptocurrency accountholders, because recovering stolen cryptocurrency from accounts held on exchanges can be difficult, if not impossible.