If there was ever a sure way to sour users against a two-factor authentication system that was already very deficient, Twitter has found it. On Tuesday, the website said on social media that it used phone numbers and email addresses provided for 2FA protection to tailor ads to users.
Twitter requires users to provide a valid phone number to be eligible for 2FA protection. A functioning mobile phone number is mandatory, even when users' 2FA protection is based solely on security keys or authentication apps, which do not require phone numbers to work. Deleting a phone number from the user's Twitter settings immediately pulls out the account from Twitter 2FA, which I verified just before I posted this post.
Security and privacy advocates have long complained about this requirement, which is not a condition of using 2FA protection from Google, Github, and other top-ranked sites. On Tuesday, Twitter gave critics another reason to complain. The website said it may have inadvertently used email addresses and phone numbers provided for 2FA and other security purposes to match users to the advertising lists provided by advertisers. Twitter did not say whether the number of users affected by the affected frame was in the hundreds or millions, or how long the incorrect targeting lasted.
Company officials wrote :
We cannot say for sure how many were affected by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or other third parties. As of September 17, we have addressed the issue that caused this to occur and no longer use phone numbers or email addresses collected for security or security purposes for advertising.
Security fighters, including Matt Green – a professor of Johns Hopkins who specializes in cryptography – wasted no time in throwing Twitter for a gaffe.
"In all seriousness: whose idea was to use a valuable advertising identifier as input to a security system," he wrote on Twitter . "This is like using raw meat to secure your tent against bears."
In all seriousness: whose idea was to use a valuable advertising identifier as input to a security system. This is like using raw meat to secure your tent against bears.
– Matthew Green (@matthew_d_green) October 8, 2019
Not all 2FAs were created equal
Two-factor authentication has proven to be single-effective means of protecting accounts against phishing and so-called credentials attack (the latter uses a password swept into one site breach to guess passwords on unrelated sites). As the name suggests, 2FA requires a factor – such as a security key or fingerprint – in addition to a password to be able to log in from a device that has never accessed the account before.
Over the past few years, security practitioners have increasingly turned away from 2FA based on SMS messages. The reasons: (1) attackers can take control of users' phone numbers by pretending to the owners and causing the carrier to replace the SIM card, and (2) SMS messages can be hijacked through weakness in the No 7 routing protocol used by mobile phone operators to make their networks interoperable. Attackers have been known to actively exploit these weaknesses more than once.
A far more effective means of 2FA relies on physical security keys that connect via USB or NFC interfaces or – less secure, but still better than SMS – one-time passwords generated by authentication apps. Twitter allows any form of 2FA. Both require the user to enter a telephone number.
Twitter signals that a change is coming
Twitter reps refused to respond to the post why a phone number is required to use 2FA. However, a background representative said the claim is based on past experiences where users often lost access to other 2FA methods and were locked out of accounts without the opportunity to recover. Twitter officials now acknowledge that it is not ideal to associate 2FA with a phone number, and they are looking for ways to disconnect the two in the future.
Last year, Facebook was used to use 2FA-provided phone numbers to send alerts that were not related to security. The social network said the behavior was the result of an error.
Although SMS-based 2FA is not ideal, it is still better for most people than no 2FA at all – at least when services do not use phone numbers for marketing purposes.