Jaco Waes
MartinEveryone I know who works in security has seen Some Stuff. But I've never seen a website that told users you must remove two-factor authentication.
If this were framed around security our headline might say something like "You must upgrade to a stronger two-factor authentication method" and give the offramp to an authentication app or security key right there. Instead, the framing is that you need to remove your current method or use the paid service.
RiskFromHome@mshelton this is what happens when the growth team writes your security interstitials
Clare Harris 🍁Making it LESS safe! Smdh.
Chris Thomas@mshelton the really dangerous part of this is that it frames SMS based 2FA as the "premium" service when it's the weakest of the options.
SMS has been compromised before whereas app-based 2FA offers a much smaller attack surface.
https://cointelegraph.com/news/t-mobile-sued-by-victim-who-lost-450k-in-bitcoin-in-sim-swap-attack
Michał "rysiek" Woźniak · 🇺🇦@mshelton *sigh*
And you know, the irony is that this *could*, in some world, have been sold as a smart move, if only the message was:
> Improve your account security by moving off of SMS TFA and onto an authentication app or security key.
But of course that's not what they went with.
RS, Author, Novelist, Prosaist@mshelton Um, what? Is this real?
@mshelton Only phone number (i.e., Text Message) 2FA of the three provided is being taken away, the one that SIM shenanigans can make useless. Why, if it is a problem, T-Blue users get to use it is baffling, but there you are.
J꩜hn
🌲🧿 "Max"t💽d🏵️n 🔎🍄
Simon ZerafaIt's costing Twitter too much to send the codes via SMS allegedly so the're turning it off.
I doubt it's saves a huge amount but it's another step to bankruptcy.
@simonzerafa @mshelton Not wanting to be a Twitter apologist, but from https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter:
unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors.
They do state they are removing phone 2FA because it poses security issues.
QCATOPR 
@sfwrtr @simonzerafa @mshelton Don't be. This was done this way solely to shill his eight buck plan; otherwise he'd disable SMS completely and force everyone to token MFA.
@timjclevenger @simonzerafa @mshelton This is a reasonable explanation for keeping text 2FA for T-blue. The idea that money should allow you the ability to do something otherwise considered stupid is rather an interesting tell about Twitter's management, however.
Daniel Wurzbacher@sfwrtr @simonzerafa @mshelton That’s an utter falsehood on their part. If that were their motivation, they’d remove SMS 2FA entirely rather than restrict to paid accounts.
In reality, humans dislike TOTP 2FA and prefer SMS codes for lots of reasons. So they’re making the less secure, but preferred, option s premium feature.
Jfrench@simonzerafa @mshelton it is lost to history but Twitter used to be an SMS first service with the web interface as secondary.
Makes this move even more ironic.
2¢@mshelton to their credit, it is restricted to a particular form of 2FA. To their discredit, it does not apply to the presumably more sensitive paid accounts. (?)
@Qbitzerre @mshelton Absolutely. That's the weird part. If you're willing to pay money, you get to do what you want? Huh?
Fred C. Trump (dead/deceased)@mshelton been getting this message from bird site for weeks. Will comply at the last possible moment. ;-)
Matthew Musante@mshelton That's audacious.
phrewfuf@mshelton It's asking to remove _text message_ 2FA, not 2FA in general.
Which is not as bad as you make it sound, because SMS based 2FA is one of the insecure ways to 2FA.
Tan_Hana_Dharma_Mangrwa@mshelton It is a new way for them to force you to pay for the Blue check mark.
Democracy Matters 
Marsha@mshelton Elmo is determined to make sure everyone knows that he is an idiot.
MIfoodie
Dr.Ubertrout@mshelton I can remember constant messages from Twitter suggeating I use Two Factor Authentication about a year ago.
Tofu Golem@mshelton
What the [bad word] are we supposed to use instead?
What the [bad word] are we supposed to use instead?
Alchemist@mshelton I really think he just wants to wreck Twitter.
Catherine is not complacent@mshelton Ego Must continues to be ridiculous.
Roger Moore@mshelton
They don't give a damn about security. They're trying to upsell people to Twitter Blue.
They don't give a damn about security. They're trying to upsell people to Twitter Blue.
Jason Allen @mshelton when are people gonna realize they’re asking for hell by staying on that bird site.
fzorbtoken based mfa > text mfa
also it's expensive to send sms lol
also it's expensive to send sms lol
Sunflower Björnskalle 🌻@mshelton after they forced you to use it and blocked your account if you didn't have it.. for like a fucking decade
MikeKI'm no fan, but if you are bleeding money, and SMS 2FA is costing you, telling people to move to a different 2FA doesn't seem so terrible.
<please don't shout at me>
T4$@mkarliner @mshelton That is pretty incoherent. On the one hand, it would make sense if they were removing it altogether because some people feel that SMS two factor is insecure. But since they are continuing to let paying users use it, that isn't the reason. If anything this makes it seem more like they are desperately trying to find reasons that people should get a paid account. It isn't going to happen for most. Just give up Elon.
Smaller Animals@mshelton if i saw this, i would assume i was being targeted by a phishing attack
FirefighterGeek 
@mshelton It costs them a penny for every sms message they send. The child doesn't see enough value in securing his non-paying accounts to make it worth spending that on them.
Geoffrey Wiseman@mshelton faintly like websites that charge for SSO support?
EndlessMason@mshelton i mean, how much could one extra factor cost? $10?
Kevin Karhan 
login just to purposefully lock myself out of it!@mshelton Musk just want you to pay money for the Blue check mark ...
Christopher Kruse@mshelton Wow, nothing like telling your users "you don't pay me, so I don't care about your security."
Brian Lang@mshelton SMS is by far the least secure MFA scheme. It's really funny Elmo is going to charge you for what you shouldn't use.
Industrial Smoothing@mshelton Elon Musk lives in the bizarro world.
Tom Rainey, C.M. 🛩@mshelton Elon doesn’t want to pay for the text message unless you’re paying him first.
Chuck Berray@mshelton Every post like this makes me even more sure that I made the right decision to leave that hell hole. Not a penny to Elon.
creckling@mshelton I tried to remove it, but couldn’t remember my password. Lol.
Jesuis 
Jednička@mshelton yea the wording matters. Instead of asking users to switch to another 2fa method they are asking to remove 2fa whatsoever.
Brokken T-Wolf@mshelton
Hack it!
Hack it!
MFTechYou can only have a secure account with MFA if you pay. Reeks of desperation.
Peter Koopman 🦣@mshelton
Sending an SMS costs money, end of explanation.
Sending an SMS costs money, end of explanation.
BlueDotAZ@mshelton Yeah, that makes sense. Make security harder for end users. Because that ALWAYS works out well.
v̾i̾t̾r̾i̾o̾l̾i̾x̾@mshelton So you pay more to get a less good 2fa?
Barry Schwartz 🫖@mshelton Welcome to the world of Snukmole.