Christina WarrenFeb 18, 2023
Oh. My. God. He did it. https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter
An update on two-factor authentication using SMS on Twitter

An update on two-factor authentication using SMS on Twitter

Show threadCassandra GranadeFeb 18, 2023
@film_girl The bit about how this is because SMS TFA is bad just gets entirely undermined by the part where it's still available to Blue users. Like... zero internal consistency at all.
Show threadMatt StocumFeb 18, 2023
@cgranade @film_girl I’d actually respect this move if they just dumped SMS 2FA entirely.
Show threadReed MidekeFeb 18, 2023
@mattstocum @cgranade @film_girl The "unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors" would certaintly be a whole lot more credible and defensible if it weren't immediately followed by "so we're restricting it to people who have given us payment info" 🤔
Show threadCassandra GranadeFeb 18, 2023
@reedmideke @mattstocum @film_girl That, and if they gave a good migration path that wasn't "lolz, hope you saw this within 30 days." SMS auth is bad, zero disagreement, but leaving users in a lurch is worse.
Show threadChristina WarrenFeb 18, 2023
@cgranade @reedmideke @mattstocum yes! This is what I was saying to someone quasi-defending Elon on Twitter who assumed users would just be migrated. You can’t “just migrate,” and as I said, Twitter doesn’t have the staff to support the sort of hand-holding you’d need to do this properly.
Show threadMatt StocumFeb 18, 2023
@film_girl @cgranade @reedmideke we have a hard enough time to get people to use TOTP at my work, and we do hold their hands through the process. An astonishing number of people just want to use text messages because, “it’s easy”
Show threadChristina Warren
@mattstocum @cgranade @reedmideke yes, I’m a firm believer this has to become a halo feature in the OS itself. iOS has support now, but they sort of hide how it works. I don’t think it is built-into Android (happy to be wrong). We need it to be dead-simple and fortified inside the mobile OS for people to use TOTP. Or we need to just all move to Passkeys, which honestly might be the move.
Feb 18, 2023 at 2:38amIvory for iOS
Show threadCassandra GranadeFeb 18, 2023

@film_girl @mattstocum @reedmideke
I don't know of any Android distros that have TOTP built-in, but Google pushes their Google Authenticator app pretty hard.

And yeah, 100%, yes to passkeys (still waiting on Windows and Android to catch on there). For serious use, I'd still prefer TFA on top of that, but that's just me.

Show threadNeatNitFeb 18, 2023
@cgranade @film_girl @mattstocum @reedmideke I read about #passkeys a while ago, IIRC they require a *smartphone* specifically to be the device with the master key - not a PC. And only the browsers and operating systems controlled by the giants can use them.... How is that a good idea? Have I got something wrong?
Show threadMatt StocumFeb 18, 2023
@neatnit you can use passkeys without a smartphone. 1Password is working on adding support. Right now they’re mostly tied to Apple products, because Apple has been pushing the development, but there’s no reason open source password managers couldn’t add support.