A recent announcement by Twitter has begun to rock the multi-factor authentication (MFA) boat, and the ripples have spread throughout the tech world. The company announced that starting on March 20, 2023, unless a user is subscribed to its Twitter Blue program (an $11/month subscription), they will lose access to SMS-based two-factor authentication (2FA). SMS has historically been put forth as a low friction mechanism that offloads several security and recovery functions to users’ mobile carriers.
Recent history has shown not all MFA is created equal, highlighted by weaknesses in SMS-based 2FA from SIM Swapping and Social Engineering attacks. There is also a hard cost that comes to companies that choose to enable SMS 2FA.
When sending SMS codes to devices, the communications is relayed through a third party, like a phone company or messaging service. These messages are automated as part of the login flow. At a small scale, this may seem to be a negligible cost when compared to other methods. However, for large service providers like Twitter, abuse of these mechanisms can be a very costly proposition. Bad actors can use this method by creating fleets of accounts and then sending unanswered MFA messages in SMS Pumping attacks.
Legitimate accounts can also be compromised in account hijacking or identity theft scenarios via SIM Swapping and social engineering. Even for small and medium sized businesses, third party costs related to SMS can expand – especially if the service is that target of pumping.
Fortunately, by adopting alternate modern MFA methods like FIDO2/WebAuthn, service providers can maintain ease of use and flexibility in its MFA workflows and cut out major costs and risks associated with SMS
The future of MFA with FIDO2 and WebAuthn
The WebAuthn standard, also known as FIDO2, describes user-friendly and cryptographically secure authentication methods that are flexible, modern and do not require additional costs for the service provider. It’s supported by all modern operating systems and browsers, and can leverage built-in authentication features of devices such as computers and phones – or even more secure options like external security keys. Yubico, the inventor of the YubiKey, which is the gold standard for hardware security keys, also created and continues to contribute to the FIDO2/WebAuthn standards.
Since mid-2019, Twitter has provided customers the option of WebAuthn, and it is the company’s preferred MFA method for its internal employees as well. Twitter also supports it as the only MFA method that users can select that does not require a phone number – helping to enhance privacy and anonymity. Instructions for enrolling WebAuthn devices can be found on Twitter’s Knowledge Base here.
WebAuthn is the de facto phishing-resistant MFA standard that allows end users to associate their security keys or security devices across a wide array of services. Since users bring their own authenticator, and the standard is free to use, companies can provide highly secure MFA that doesn’t incur unexpected transactional cost. Twitter, by essentially retiring SMS 2FA methods for non Twitter Blue subscribers, is taking a bold step forward in both controlling their costs AND guiding users to stronger, easier to use authentication methods.
To find out which YubiKey is right for you, we encourage Twitter users and others who are looking for a modern MFA alternative to SMS or authenticator apps to take Yubico’s quiz. A great option for Twitter users is the newly updated Security Key Series, which offers high security for all online accounts via FIDO-based phishing-resistant MFA. You can see all of our security key options and form factors via our store.
The post Twitter’s changes to MFA: What the move means for the future of authentication appeared first on Yubico.
—————-
VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.
The shop that sells yubikeys is https://vaultumcity.com/product-category/yubikey/
Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at https://vaultumcity.com/contact/ whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.
If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.
What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.
Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.