Greg Foster
Christina Warren
This is truly doubling-down on stupid. You’re forcing most of your users off this method you call insecure, except for the ones that pay you $8 a month. Those users can continue to be unsafe, you say.
Ben Roethig@film_girl isn't doubling down on stupid his brand at present?
Nate Gorby@film_girl it feels more like a threat than a feature.
Mike Elliott@film_girl It's like paying $8 a month to hide your front door key under a fake plastic rock.
Kyle 
@film_girl This might be the last straw to get me to delete my account all together.
SirSwatch@kylewritescode @film_girl I finally started the process of deleting my account last night. I must admit I struggled to let go for a while, but I’ve had enough of Elon pushing his stupidity and egotistical ways on the platform.
@SirSwatch @film_girl Yep, deleted mine last night.
Chris Huff 
@film_girl gosh, this is going to backfire so badly.
Joe Fabisevich 
@film_girl A fun double whammy that this will make accounts more prone to being hijacked by bot networks, especially for dormant accounts that don’t login to reauthenticate using a more tedious to setup method.
@mergesort exactly. And I know in the past that switching from one auth method to another was extremely convoluted. I can’t wait for all this to break on people. Just awful.
Shoq 🌿@film_girl Thank you. I couldn't quite figure it out. Because I'm just not fluent in stupid.
jmorris1974@film_girl imagine paying $8 a month for the luxury of using the least secure 2FA method 🤣
Sam Armstrong (pseudonym)@film_girl I’m guessing this is to save money on sending SMS messages and the security angle is just a red herring. I mean, they should get rid of SMS 2FA on principle, but this feels like an excuse.
@SamStrongTalks correct. This is to cut the Twilio bill.
Daniel // SwissInHKG 🇨🇭@film_girl but you still can use authentication app and security keys. Not? Actually, we know SMS are not really the safest way for 2FA … still, most will now just use their easy to guess password. 🫣
@wyssdaniel yes, of course they can. I’m pointing out the incongruity of claiming to end support for a 2FA method on the basis it is less-secure UNLESS you’re a paying user, then you’re welcome to continue to use or even enroll in the method you just said was too insecure to be worth supporting for everyone.
Tom@film_girl It's kind of amazing, really, all the stupid that can fit into one egomaniacal toolshed.
Chris Atzinger@tbridge @film_girl it’s truly baffling. I don’t get it.
David Chartier@film_girl @derek I have to wonder if he’s panicking. Advertisers dropped off *hard* in December—THE big month for consuming crap—and subscriptions aren’t even a blip of the revenue he’d hoped. And at their last earnings, they expected ads to drop even more!
Dr. Dan Killam@film_girl we need a flow chart to describe all the levels of stupid involved
Shane Lord@film_girl So based on that post, anyone using SMS 2FA (which is horribly insecure BTW) has to select a different method unless they pay? To be honest, I’d be happier if they just turned off SMS 2FA altogether for everyone. Anyone using it is inherently insecure.
Then again, I never used SMS 2FA & haven’t posted on Twitter since he took over so it doesn’t impact me.
@shanelord that’s not what the post says at all. It says anyone on SMS 2FA who doesn’t pay has to choose another option, but Twitter Blue subscribers can still enroll in SMS 2FA and continue to use it. And I agree SMS 2FA isn’t ideal. It’s better than no 2FA and they don’t even have instructions to help users get set up on something better.
@film_girl Sorry I was still mid edit on my post. I’ve since updated it.
Leeward@film_girl 2FA is confusing to the MAGA crowd. Elon wants/needs those people on Twitter, so he’s giving them something easier to understand despite it being against their own best interests.
mudhenn 
@film_girl
They've cut just 2FA via SMS, which generates costs for them. First of all you still can use all the other methods and second why would you use 2FA via SMS in the first place? Because you hate privacy?
They've cut just 2FA via SMS, which generates costs for them. First of all you still can use all the other methods and second why would you use 2FA via SMS in the first place? Because you hate privacy?
Cassandra Granade@film_girl The bit about how this is because SMS TFA is bad just gets entirely undermined by the part where it's still available to Blue users. Like... zero internal consistency at all.
Matt Stocum@cgranade @film_girl I’d actually respect this move if they just dumped SMS 2FA entirely.
@mattstocum @cgranade I almost would too. The reason I would hesitate is that Twitter has hundreds of millions of users and it seems unfair to make everyone who uses SMS less secure just because it isn’t as secure as TOTP. In any event, you need to give people longer than 30 days to migrate to the new method.
@film_girl yeah, like most things where security is involved, it’s complicated, has a series of trade offs, and needs intelligent people to think about the ramifications of what they’re doing. Which, of course, is why Elon is doing this in the absolute dumbest way possible. I’m sure the only factor behind his decision is cutting down on SMS fees, and the security bit is just something someone threw in the blog post without his knowledge.
@mattstocum or that they wanted to do to save face. Even though it makes the overall messaging completely muddled.
Blake Leonard@mattstocum @film_girl Ironic since Twitter started out by only being available over SMS
John Carter@blake @mattstocum @film_girl also if I remember right it was impossible to switch off SMS without fully disabling 2FA until fairly recently. Though that was fixed pre-Musk I think.
@therefromhere @blake @mattstocum yeah, I’m pretty sure that was true. Tho I heard that employees who were laid off in November had to reenable SMS so they could have their accounts disconnected from corporate the right way and THEN they could swap to TOTP.
Simple Vitality@mattstocum @film_girl It appears to me he bought twitter to destroy it.
His buddies, the authoritarians, do not like twitter.
It appears to me the shutting down of SMS 2 factor is to expose millions of accounts.
I could be wrong but usually if you think of the worst poss thing, that is the correct answer with these guys.
He, also, has no bottom just like trump.
Thermaq@SimpleVitality @mattstocum @film_girl No. He's just stupid and insecure. He bought Twitter out of insecurity and now wants to earn money using stupid means.
Rob Middleton@SimpleVitality @mattstocum @film_girl I thought this as well. It was a form of media that couldn’t be controlled by rich interests, so could not be allowed to stand. He is also infantile and conceited it’s true, but if he hadn’t done it someone else rich would.
Jeroen Baert@film_girl @mattstocum @cgranade this. 2FA over SMS has a lot of issues, but being worse than no 2FA ain't one of them.
Akos Szalay@jbaert @film_girl @mattstocum @cgranade exactly, for people who can't figure out app-based 2FA, it's still better than no 2FA.
Reed Mideke@mattstocum @cgranade @film_girl The "unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors" would certaintly be a whole lot more credible and defensible if it weren't immediately followed by "so we're restricting it to people who have given us payment info" 🤔
@reedmideke @mattstocum @film_girl That, and if they gave a good migration path that wasn't "lolz, hope you saw this within 30 days." SMS auth is bad, zero disagreement, but leaving users in a lurch is worse.
@cgranade @reedmideke @mattstocum yes! This is what I was saying to someone quasi-defending Elon on Twitter who assumed users would just be migrated. You can’t “just migrate,” and as I said, Twitter doesn’t have the staff to support the sort of hand-holding you’d need to do this properly.
@film_girl @cgranade @reedmideke we have a hard enough time to get people to use TOTP at my work, and we do hold their hands through the process. An astonishing number of people just want to use text messages because, “it’s easy”
@mattstocum @cgranade @reedmideke yes, I’m a firm believer this has to become a halo feature in the OS itself. iOS has support now, but they sort of hide how it works. I don’t think it is built-into Android (happy to be wrong). We need it to be dead-simple and fortified inside the mobile OS for people to use TOTP. Or we need to just all move to Passkeys, which honestly might be the move.
@film_girl @mattstocum @reedmideke
I don't know of any Android distros that have TOTP built-in, but Google pushes their Google Authenticator app pretty hard.
And yeah, 100%, yes to passkeys (still waiting on Windows and Android to catch on there). For serious use, I'd still prefer TFA on top of that, but that's just me.
NeatNit@cgranade @film_girl @mattstocum @reedmideke I read about #passkeys a while ago, IIRC they require a *smartphone* specifically to be the device with the master key - not a PC. And only the browsers and operating systems controlled by the giants can use them.... How is that a good idea? Have I got something wrong?
@neatnit you can use passkeys without a smartphone. 1Password is working on adding support. Right now they’re mostly tied to Apple products, because Apple has been pushing the development, but there’s no reason open source password managers couldn’t add support.
@mattstocum @film_girl @reedmideke There's definitely well-established ways of making the UX a bit easier to manage that aren't nearly as insecure as SMS. For example, bringing up a dialog from within a paired app (similar to MS Authenticator and Google's TFA).
I still prefer TOTP so that I can use one app for my dozens of TFAs, but there are at least secure alternatives.
Steyrshrek@mattstocum @film_girl @cgranade @reedmideke that now makes a little sense, if you’re stupid enough to pay him $8 you’re probably only going to understand doing 2FA through SMS.
@steyrshrek @mattstocum @film_girl @reedmideke I think there's room to be more empathetic to users? It's not stupid to be intimidated by unfamiliar things, and there's not enough easy-to-follow guides out there for what TOTP is and how to use it.
@cgranade @steyrshrek @mattstocum @reedmideke yes. Please read @rmondello's blog. https://rmondello.com/2023/02/18/twitter-sms-2fa/ they make the user the center of their argument.
Twitter’s Decision to Limit SMS 2FA is Dangerous
Some background on me: I’m a software engineer working in what I call “usable security”. I’m passionate about this field because advancements can tangibly improve people’s lives, making their computing experiences easier and accounts more secure at the same time. This post contains some of my personal thoughts. It does not represent anyone else or [...]
@film_girl @cgranade @steyrshrek @reedmideke @rmondello just finished it and Ricky convinced me I was wrong.
@cgranade @mattstocum @film_girl @reedmideke no what’s stupid is to pay a sociopath man child $8 a month for a blue check mark. I have zero empathy for Musk, Trump or Maga followers. I think you missed the point entirely.
@film_girl just another $…
Sean Harding@film_girl I love the idea of letting Blue subscribers be more vulnerable to account takeovers by using an inferior 2fa method. Brilliant.
Joelsef@sharding @film_girl Yeah...I mean that is the logical conclusion here isn't it?🤦♂️
Rafael Schmitt@sharding Exactly!
Eric Fox@film_girl omg I was sure this one wasn't true. It must have been one of those times someone leaks something to the press to attempt to stop a bad decision...
Peter Mount@Eric @film_girl I thought the same when I saw it appear on various feeds this morning so, in a different browser I logged in & got presented with the warning dialogue so it is true.
Wording doesn't say the same thing as the blog article, it hints you'll lose access to your account which is more worrying for those who still use the other place.
Nic Hagan@film_girl what a fucking child with his bullshit rules.
Ω 🌍 Gus Posey@film_girl I always thought he was bland.
I didn't understand he was evil.