Twitter’s recent decision to turn off SMS two-factor authentication (2FA) for non-Twitter Blue users created a stir. While media and tech pundits questioned the company’s motives, many users complained of losing a universal security measure behind a paywall. But all reasons and transition hiccups aside, “the residual benefit here is that it provides an opportunity to improve the security of Twitter’s userbase by migrating them to a more secure method of multi-factor authentication (MFA),” says CyberArk Labs offensive cybersecurity research evangelist Andy Thompson.
I asked Thompson to break down major SMS authentication risks and why more organizations will likely follow in Twitter’s footsteps. Here’s what he had to say.
An “Any 2FA Method Is Better Than None” Philosophy Won’t Protect Your Data
As consumers, we have plenty of opportunities to switch on SMS 2FA (which requires both a password and code sent by text to our phones) to help protect banking, social media, email and other online accounts. “Using any kind of MFA method is arguably better than using a password alone when it comes to personal use,” Thompson says. “But that doesn’t mean SMS authentication can adequately protect your data, and it certainly isn’t workable for complex enterprises that need to secure access for employees, vendors, partners and clients.”
In fact, SMS is one of the least secure MFA methods out there today. “Thanks to SMS 2FA, virtually every organization has been hit with a subscriber identity module (SIM) swapping attack at one point or another,” he says.
SIM Swapping Is Alive and Well
In a typical SIM swap, a threat actor obtains a victim’s personal data using phishing techniques, then uses this information to convince a mobile carrier to switch the number associated with a SIM card to another unauthorized device. Criminals often employ social engineering to do this, though rogue insiders are sometimes convinced to help. After this “swap,” all calls and texts to the victim’s number are re-routed to the attacker’s phone. By sending a “forgot password” or account recovery request for any account linked to the phone number, the attacker can obtain an SMS 2FA code, then use it to log in, change the password and control the account.
SIM swapping has been around forever. In 2019, former Twitter CEO Jack Dorsey’s own Twitter account was hijacked via SIM swapping. The following year, a SIM-swapping gang stole more than $100 million by targeting celebrities and online influencers. In 2022, the U.S. Federal Bureau of Investigations (FBI) issued its own warning, citing a record number of SIM-swapping complaints to its Internet Crime Complaint Center (IC3).
SMS Authentication Isn’t Cost-effective or Easy to Use
Though organizations from the National Institute of Standards and Technology (NIST) to Google have warned against using SMS 2FA for years, it remains a popular authentication method. “This doesn’t make much sense when you stop and think about it,” Thompson says. “From an end user perspective, SMS authentication is pretty clunky and inconvenient.”
It’s also expensive. Twitter reportedly spent $60 million a year combatting SMS texts from fake bot accounts. What’s more, companies are typically charged a fee for every SMS code that’s sent. This can add up quickly. “While I can’t speak for the company, these seem like reasons enough to drop this MFA option for free users. If you want Twitter to continue to support the backend of an insecure feature, you gotta pay for it,” Thompson says.
There’s also the potential cost of a breach to consider. Since it takes two to SIM swap (meaning an individual and a mobile carrier get scammed), who’s ultimately responsible for the damage? Thompson points to a notable legal case involving $24 million in stolen bitcoin. This month, a California judge ruled that the telecom provider was not liable for punitive damages. “Identity-based threats are evolving rapidly,” says Thompson. “This case further underscores the need for organizations to rethink their legacy MFA approaches and adopt modern alternatives that are built to outpace attackers and protect critical assets.”
Organizations Need More Adaptive Ways to Verify Identities Based on Levels of Access, Privilege and Risk
So where can organizations go from here? What can be done, for instance, when a threat actor has an employee’s login credentials and a clone of their mobile device? “This is where phishing-resistant secondary authentication factors such as a FIDO, QR codes, biometrics or physical tokens can make a big difference in thwarting attacks,” Thompson says. However, no MFA method is failsafe. He adds, “MFA fatigue attacks and other elaborate phishing schemes look for ways to bypass MFA of all kinds. And in these cases, the additional ability to analyze user behavior is critical for making smart, real-time access decisions.”
Unlike SMS 2FA, an adaptive MFA solution can learn from a user’s history of access habits, which enables it to discern typical behavior from risky activity. This allows the solution to ramp up or streamline authentication challenges based on real-time insights. The flexibility of this adaptive form of MFA provides a balance that takes care of job number one: protection. But it also prevents enhanced security measures from negatively impacting user experience.
“MFA has come a long way,” Thompson says. Putting forth a bottom line, he adds, “Let’s hope Twitter’s decision to retire SMS authentication inspires others to take this important step toward a safer, more secure digital future.”
David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.
For more insights from Andy Thompson, check out his CyberArk Trust Issues podcast dive into the latest developments in the world of ransomware.