Elon Musk’s tenure as head of Twitter has been something of a rollercoaster ride from day one.
Internally there have been mass staff-sackings, crazy diktats like the memo telling remaining staff they had to be ‘extremely hardcore’ around their working hours – resulting in one executive taking a sleeping bag to the office to sleep there after an 18-hour day (only to get fired anyway).
And externally there have been policy lurches too: starting to charge VIP users for their famous blue ticks – before opening up the status to anyone willing to pay, adding and then removing features in days, splitting content into ‘for you’ or ‘following’ categories to fundamentally change the way that feeds work.
Whether there’s a strange genius at work that will be ultimately vindicated, or Musk is destroying the essence of the product he bought for $44 billion and rendering it valueless, remains to be seen.
But perhaps the most apparently bizarre move of them all came just recently to much less fanfare than many of these others. That was probably because it was a technical one rather than related to content or status, categories users tend to be more concerned about. But it tells an interesting tale that I think is worth exploring.
The platform announced in February that users who wanted to continue to use Twitter’s SMS two-factor authentication (2FA) method would be forced to pay for the service from March – because from March it would only be available to those blue tick accounts, which of course now cost $8 per month to retain.
Twitter warned those not prepared to pay for this upgrade that it would turn off 2FA for their accounts completely.
Well because 2FA is now becoming an increasingly discredited and outdated security function anyway – so it’s far from a premium service.
You have, in Elon Musk, a man with cutting edge tech apparently built into his DNA: he co-founded PayPal which transformed financial transactions across the nascent internet ecosystem, he aspires to transform transport globally via his Tesla brand and aspires to transform travel beyond globally – to infinity and beyond, as it were – with his SpaceX project.
But here was Musk talking about a security system that’s been nudging towards being outdated since at least 2016 when it was first flagged by the US Department of Commerce’s National Institute of Standards and Technology as not fully secure. And seven years ago is aeons in the fast moving tech world where everything happens more and more quickly.
I suspect this policy announcement wasn’t quite the clunky move it first appeared. And that the real news was buried lower down in the explanatory notes from Twitter.
“We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead,” this read. “These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure.”
In other words, Twitter was getting rid of 2FA because it was becoming obsolete – and it was doing its own housekeeping by forcing users to get with the programme by using more up-to-date security protocols.
And the $8-a-month to keep 2FA was probably a Musk side-hussle attempt to try to use the switch to leverage those who were so attached to it that they’d be prepared to pay to keep it into taking up his blue tick subscription. In other words, monetise it if you can – as he seems to be intent on doing across the platform.
But, otherwise, the move is a red herring, and the real story is that 2FA is being phased out across the world.
The reason is that it’s become too easy in some scenarios to bypass the security it’s meant to provide. Fraudsters – or ‘bad actors’ as they’re known in Musk speak – are able, for example, to outflank 2FA in scams like ‘Sim Swap’. This is when mobile phone providers are tricked into providing a replacement Sim for a supposed lost handset or similar without the real owner of the relevant phone knowing anything about it – so that when the replacement sim is fitted into another handset the fraudster who has that in their possession can take over his victim’s online identity. And any 2FA messages can be intercepted and used to aid rather than prevent this fraud.
But if you are still using 2FA in most contexts you don’t need to panic. It’s not inherently dangerous by any stretch – in fact it’s entirely robust in the vast majority of situations. But its weak areas mean it is broadly beginning to be retired in favour of systems that are robust across the board.
The newest systems restore the idea of ensuring the device and the user are one and the same entity. This eliminates the areas where 2FA is prone to being bypassed.
Our version of the most up-to-date protection systems is TMT Authenticate. It provides a seamless check – so seamless the user isn’t even aware it’s happening – with no verification codes or other hassles and no weak spots. And it’s more secure than anything that’s yet been devised.
It works by using up-to-the-minute data on users and the integrity of their mobile phone accounts from the telcos themselves so it’s a near-perfect insight.
We’re encouraging our clients to move towards offering this function. It’s proving extremely popular. And you don’t even need a Twitter account let alone a blue tick to subscribe.
Take a look at our latest white paper, Tackling Mobile Identity Fraud in Financial Services. Our our product experts are always on hand to answer any questions!