Analysis: Elon Musk's recent announcement makes the use of 2FA less likely - this is good news for cyber attackers and bad news for your online security
By Iain Nash, Queen Mary University of London and Edge Hill University
Recently, Elon Musk announced that SMS based Two Factor Authentication (2FA) will only be available for people who pay for Twitter Blue. Non Twitter Blue users will still be able to use other forms of 2FA, but SMS will no longer be an option. You may have seen this and perhaps thought that it didn't apply to you, nonetheless, this is bad news and it makes us all a little less secure on the internet.
We normally protect our online accounts using just a password. However, you’ve probably noticed of late, that when buy something online, you sometimes need to approve the transaction in your banking app. This is two factor authentication in progress – your bank card details are not enough to authorise the transaction; your bank also needs to confirm your identify by demonstrating that you have access to your phone.
2FA is a security option which is offered by most major online services. It protects us because your password may not be enough to safeguard you online. Perhaps you chose a short password, which can be broken by brute force, or maybe you chose a password which is actually used by many people, and so can be easily guessed. Passwords are also often re-used by people for multiple different websites, and if one of these sites is breached, your details may be available for purchase on the dark web. Even if you have a great password, sometimes attackers can find a way to bypass it and get access to your account.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
From RTÉ Radio 1's News At One, Twitter users vote in favour of Elon Musk stepping down as CEO
2FA can prevent an attacker, even if they have guessed, cracked or know your password, from getting access to your online accounts. 2FA adds a second step in the authentication process, so that in addition to your password, your account requires that the attacker be able to access your mobile phone. The probability of an attacker having stolen both your password and your phone is very slim; therefore by enabling 2FA, you make it much less likely that a cyberattacker can get access to your online accounts.
It is important to remember that these attackers aren't targeting you specifically, as they will go after everyone on a stolen password list. Using 2FA will protect your own data, while at the same time also protecting your friends and contacts. Some people feel that attackers getting access to your email, social media or photoblog account is neither likely nor a big deal, but if attackers do get access, they can then get in touch with your contacts on that service and send fraudulent messages, seeking to access their accounts or attempting to access to their debit or credit card details.
A text message (SMS) is the easiest and most versatile form of 2FA. Every mobile phone, whether smart or traditional, can receive a text message. You don’t need to install any apps and you don’t need to worry whether it is compatible with your phone. By using SMS 2FA to protect your accounts, the only extra step that you have to take after entering your password is wait to receive a text message, and then enter the security code it contains.
Read more: Do cyber security experts practice what they preach?
SMS, however, is seen as a one of the weaker forms of 2FA. This is due to the fact that, if a cyberattacker is targeting a particular individual, they may be able to intercept the text message through a process known as 'sim swapping'. This is where an employee in the target’s phone company is either tricked or bribed to issue the attacker a sim card which takes over the target’s number.
Sim swapping, however, is a difficult exercise, and is normally only used against a valuable target (such as your bank or trading account). Despite this risk, SMS 2FA is a great start for most people who are looking to protect their online accounts.
A number of technology commentators argue that SMS should not be used as a means of 2FA, due to the risk of sim swapping. If you are looking to protect a valuable online account, you should use a more secure method such as an Authenticator App (Google, Apple and Authy are excellent examples), which generates the code on your mobile. However, these apps can be tricky to set up for new online services, and you need to access these apps during the login process in order to get the code. You also need to think about challenges such as how best to back-up and manage your Authenticator app, and of course, they only work on smart phones.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
From RTÉ Radio 1's News At One, Tusla begins contacting 20,000 who had information accessed in HSE cyber attack
Looking beyond the recent Twitter news, we must not forget that some people, perhaps who are elderly or privacy conscious, may not want to use a smart phone, and denying them SMS 2FA means they must forgo a service, or be required to use a smart phone. People who are fleeing from a domestic abuse situation may not trust their smart phone, and a prohibition of SMS 2FA on the basis of the relatively small risk of sim swapping must be weighed against the risk of their physical harm caused by a compromised smart phone.
It is the unfortunate truth that relying on just a password is no longer sufficient to ensure your online safety. The easiest way to get more people to start using 2FA is to promote the use of SMS 2FA. Yes, it is the least secure of the 2FA methodologies, but it is much more secure than just a password, and once a person has started to use SMS 2FA, stronger alternatives can be encouraged.
Elon's recent news makes the use of 2FA less likely, and this is good news for cyberattackers who are looking to exploit weak, re-used or stolen passwords. To protect your accounts and those of your contacts and friends, you should start using 2FA today, and SMS is an easy way to start.
Iain Nash is a Ph.D. candidate in the Centre for Commercial Law Studies at Queen Mary University of London and a Senior Lecturer in Technology and Artificial Intelligence Law at the School of Law, Criminology and Policing in Edge Hill University.
The views expressed here are those of the author and do not represent or reflect the views of RTÉ
