
Twitter lets you use 2FA without a phone number - arkadiyt
https://twitter.com/TwitterSupport/status/1197630682631221248
======
olliepop
No doubt because Jack Dorsey was SIM jacked[1]. SMS 2FA is incredibly
insecure.

[1] [https://www.nytimes.com/2019/09/05/technology/sim-swap-
jack-...](https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-
hack.html)

~~~
ksec
I still dont understand this, if SIM Swapping were the problem then it isn't
SMS 2FA that is insecure, it is the telco themselves, and specially US Telco.

In many other part of the world, Switching Sim ( SIM Swapping ) requires to
show proof of identification, as well as written form and signature.

And any CS accessing customer information are instantly logged, there is no
way paying $1000 dollar to change or SIM Swap without going through the proper
procedure, ( Should there be one ) and they will be fired for any misconduct.

SMS might not be the best solution to security, but for average Joe, that is
near 4 billion of Smartphone users they are better than nothing.

May be had Apple created their own MVNO this problem could be solved.

~~~
phicoh
As far as I know, the service telcos provide is the ability to make calls,
receive calls, send text messages, receive them, etc.

Telcos don't get paid to securely provide SIMs. They make hardly any claims
regarding the security of your calls, text messages, etc.

So it is rather odd to hold telcos reponsible for the failure of some security
mechanism they where never part of.

~~~
lucideer
The rationalisation here is mindblowing.

By the same logic, no company should ever be held responsible for harm to
users of their products caused by product defects: after all, they never made
any claims regarding their products being safe to use.

~~~
Spivak
I mean I think the ship has pretty much sailed on this one but I think they've
got a case when companies just started using "can receive a text at a given
number" as a security verification which suddenly made it the telco's problem
to make sure such a thing was secure when before it was a more informal
system.

------
roca
Unfortunately there are two big problems:

\-- You can't provision more than one security key. I want to provision a
backup key.

\-- You must have TOTP or text-message 2FA enabled in order to use a security
key. But the very reason I want to use a security key is because I don't want
to trust my phone!

~~~
Thorrez
>I don't want to trust my phone!

That's an interesting threat model that I don't hear very often. Can you
expand on what threats you're trying to protect against? If you ever sign in
to Twitter on your phone, you're trusting your phone with your Twitter account
at least to some degree.

The main thing security keys protect against that TOTP doesn't is phishing.

~~~
oxplot
You don't necessarily login to Twitter on the phone (I don't for instance).
Even if you did, your login credentials are considered more sensitive data
than the session cookie you get after you're signed in. As with the Twitter
app, the window of time in which your login creds are in memory is short. With
a TOTP app holding your private key around, you basically have half the
credential available at all times (unless of course the TOTP app makes use of
the mobile platform's hardware chip to encrypt the private key when app is not
in use).

~~~
Thorrez
Yes, but assuming your phone is compromised, it can intercept the password and
security key as you sign in, and take over your Twitter account. In fact if
you use your security key to sign in to anything on your phone, the phone
malware can use it to access any account linked to the security key (assuming
the malware has your password). So even if you don't sign in to Twitter on
your phone you're still vulnerable.

And even if you are already signed in to everything and think you won't ever
need to sign in on your phone again, the malware can force a logout of
something, and you won't be able to know if it was just some software update
or expiration that signed you out. So you'll sign in again, and the malware
will intercept your security key.

~~~
roca
I have never used my Yubikey with my phone for any application, I don't even
know if it works, and I see no reason why I would start. I almost never use
Twitter on my phone and if I switched Twitter to my Yubikey, I would never use
it on my phone.

------
badrabbit
Twitter,google and the rest refuse to let you register without a phone number
and they are agressive about not letting burner services.

So I spend money buying burner sims. I can. But normal people can't. They use
phone numbers more than IP addresses to uniquely identify people. Never use
apps if you can use a website!

And screw these companies that are sneakily hostile against their own user
base.

~~~
nontoxyc
I use a lot of burner phones cuz I'm paranoid, and when you sign up for
fb/google/whatever they treat a burner phone you just turned on completely
different from your regular, existing phone number. Example: if you activate a
burner phone and sign up for tinder with the number, it pauses after you enter
the code and then asks for your email address. You have to sepetately login
and verify your email. On the other hand, if you sign up for tinder with your
normal number you're verified; it doesn't request an email address. They get
some kind of information packet about your account that I would guess includes
activation date, your approximate age, whether your service is prepaid etc. I
should say, I use the term "burner" for a cheap Android phone you insert a
bring your own SIM into. Don't worry, it's not that anonymous because they
also track/correlate your device IMEI with the services you use. I had an
interesting experience the other day. The burner phone service expired, and
tinder knew within 24 hours the number was no longer active...... Creepy.

2010-2019 has been the smart phone decade and now it's coming to an end. I'm
celebrating by letting my cell service expire. My smart phones leak way too
much data. I'll be using my too-smart phones like an ipad, making and
receiving calls and texts only when I'm connected to WiFi at home.

~~~
badrabbit
I have the same experience with tinder. They build shadow profiles on you, and
they're not even discreet about it if you look at their traffic. I get whole
phones with sim cheap.

~~~
nontoxyc
It's the implementation of a "social credit" system. I don't know all the
details but they evaluate your "social media creditworthiness" through your
phone number.

I don't agree to any TOS with tinder and I really doubt they "delete all my
information" when I delete the account like it says.

In fact my guess is they just leave your profile active if it's popular to
encourage other people to "match" with you.

~~~
danillonunes
> In fact my guess is they just leave your profile active if it's popular to
> encourage other people to "match" with you.

I wouldn’t go to the extent of saying they don’t do it, but I think it’s very
unlikely due to the nature of their service. It’s different of, say, Facebook,
that can do it without anyone knowing. If I got into a relationship and close
my Tinder account but they kept it alive, a single friend can find it and tell
my partner. If this happens too often word will spread that something shady is
going on.

------
noodlesUK
Why can’t we have more than one u2f key??? The most important guarantee that
u2f gives you is a significant reduction in phishing risk. I can still be
phished with a totp code by a social engineering attack and something like
Modlishka...

~~~
filleokus
Yeah, recently demo'ed Modlishka to my org, really scary stuff...

Re U2F keys: I think I would prefer a security model where I provision a U2F
key based on some master secret stored in a "secure" but accessible way, i.e
paper. Then I could create a new key with the same secret when I loose or
break the first one.

Having two U2F fobs seems almost like having two different locks on all your
doors, setup so that only one is needed to open the door.

~~~
mrb
It's possible to do what you describe with existing open-source/open-hardware
U2F security keys, as they let you define the master secret from which the
per-site private elliptic keys are generated. I haven't personally tried it,
though.

But for security you should still have at least two U2F security keys using
different master secrets (if you lose one security key, you can deactivate it
without deactivating the other).

------
jillesvangurp
I simply refuse to do 2FA with phone number. I change phone providers and
phone number more often than email provider. I generally don't trust my phone
provider to act responsibly and fully expect to get ripped off by them and
their customer support to do all the wrong things.

I implemented 2FA server and frontend support at some point and it's stupidly
easy to do. It's arguably a lot easier to do than building SMS based 2FA
because you don't need the integration with SMS. All you do is show a QR code,
store the shared secret, and then run a simple algorithm to verify the current
code and timestamp line up with what the user typed when they login. The
algorithm for generating codes compatible with Google Authenticator, Authy,
etc. is available in OSS form for several languages. Same for QR code
generation. The rest is bog standard UX work and a bit of DB plumbing.

------
nyuszika7h
As if they won’t arbitrarily lock your account and force you to enter a phone
number because of “suspicious behavior” anyway...

You could already disable SMS 2FA after enabling TOTP, but removing your phone
number completely used to disable 2FA.

~~~
VvR-Ox
Same here. I didn't want to give them my number and they blocked my account
because of 'suspicious behaviour'.

Now I wrote to their support after reading this and I am very interested in
their response.

I think if they go on trying to force me I will just delete the account. This
is the only thing that helps those companies to understand their users needs
when they have problems listening or seeing them on their own, I'm afraid.

~~~
VvR-Ox
UPDATE: The support was very fast and kind and they unlocked my account
without the need to provide a phone number.

------
behnamoh
Facebook doesn't even let you sign up without a phone number anymore. How did
we get here?

~~~
gkoberger
Well, I think the argument (whether you buy it or not) would be that platforms
like Twitter and Facebook are trying to curtail abuse and bots, and "owning a
phone number" is a decent way to tell if someone's human. To my knowledge,
neither has ever texted or used the phone numbers for anything other than
verification.

~~~
aristus
Ahem: [https://www.engadget.com/2018/09/28/facebook-two-factor-
phon...](https://www.engadget.com/2018/09/28/facebook-two-factor-phone-
numbers-ads/)

~~~
jeromegv
Both can be true. I tried to open an anonymous Facebook account. Could never
succeed. My twilio number was refused. I couldn’t give my normal phone because
it’s already associated with my other Facebook account. They do want to limit
the number of accounts per person even if that meant more accounts to
advertise.

------
sprice
This is great.

I ported my primary phone number into Twilio years ago. Most apps/websites
have no problem with a `voip` number type. But some systems, including
Twitter, have refused to accept it.

~~~
illnewsthat
Why did you port your number to Twilio? Isn't it a pain for things like group
messaging?

~~~
xyzzy_plugh
Not OP but I think I've participated in a group SMS maybe twice in 10 years
and initiated none. I don't feel like I'd be missing out by not having group
messaging support.

~~~
jedberg
The problem is, you have no idea if you're missing out because you aren't
getting them.

I use Google Voice and my family uses group text to coordinate things like
dinner. I only knew about dinner because my wife gets the group texts.

GVoice eventually fixed the group text problem, but I don't get all the
messages and I get them out of order. I also get other group texts with
important info that I wasn't getting before.

I have no idea how many other group texts I'm missing out on that I might
actually want to be a part of or was missing out on. Everyone assumes that
group text works with all recipients all the time, and since it has no way of
telling the sender it failed to deliver, no one ever follows up.

~~~
jeromegv
Depends on geography. In Canada it’s WhatsApp and Messenger groups. Never had
a group text. Not saying it’s the same across the country but don’t assume
that other are missing on group text, I could get group text and I don’t.

------
Abishek_Muthian
But if you reply to a tweet too soon to be misidentified as Bot & get blocked;
then you have no choice but to link your mobile number to get unblocked.

~~~
RandomBacon
You don't even have to tweet before you get blocked. I created an account,
after a few minutes of looking around, I was blockeed. (Still blocked, because
not worth it.)

~~~
Abishek_Muthian
Were you on VPN/Tor, not that I'm implying it's a legible case to block; but
I've read VPN/Tor usage on Twitter will lead you to mobile linking inevitably
due to said issue.

~~~
avian
I had the same experience. Not on VPN/Tor/anything. Before I even posted a
single tweet I got blocked by a generic "our algorithms think you violated
community guidelines" or something.

------
eliseumds
Who came up with the idea of using SMS for 2FA in the first place instead of
e-mail? It sounds insane.

------
sambe
I don't understand. I already have authenticator app ticked, and this doesn't
appear to be the new default - I have it in the authenticator app already too.
If I untick SMS, it says this will disable 2FA. What gives?

EDIT

Looks like a bug. Deleting the phone number gives no such warning, and 2FA
continues to work.

------
nomooses
This is wonderful news. I hope that others follow their example. (In
particular, Apple...)

------
JohnFen
Good move!

A 2FA system that requires me to give a phone number is a 2FA system that I
won't use. I'm not about to give my phone number out to most companies, and
I'm too lazy to go get a burner phone just to set up 2FA.

------
flingo
Strange. Since any new account I add to the site gets locked after about ten
minutes and demands a phone number to verify.

I get the account unlocked after a few days if I pester support about it.
(which is not easy either)

------
AA-BA-94-2A-56
I still can’t log into Twitter because they refuse to send the verification to
my phone number. It’s been three weeks of multiple emails to their support.

All this and I only need the damn thing for my data analysis course.

------
diveanon
I hope paypal and transferwise follow this example. International travelers
have been suffering for years due to this horrible ux.

SMS based 2FA is a farce, I look forward to it going extinct.

~~~
adambowles
PayPal[1] and TransferWise[2] already support TOTP, am I missing something?

[1]
[https://www.paypal.com/us/smarthelp/article/faq4057](https://www.paypal.com/us/smarthelp/article/faq4057)

[2] [https://transferwise.com/help/12/managing-your-
profile/29321...](https://transferwise.com/help/12/managing-your-
profile/2932125)

~~~
diveanon
Both require that you have sms based 2fa first. I have had this conversation
with both of their support departments and its a non starter.

------
hartator
We need to stop calling this 2FA. If you can reset your password via text or
email, it’s not. I rather have no way of reseting the password. And if it is
lost, it is lost.

~~~
snarf21
Exactly. SMS as a 2FA option is _worse_ than no 2FA. It actually creates a
_new_ attack vector.

------
jokoon
I had 2 twitter old accounts over the years, I stopped using twitter and I end
up having both disabled. I messaged their support but got no answer.

------
FabHK
Good, but pathetic that it took so long. The only other 2FA I still do via SMS
occasionally is a bank.

------
shurcooL
I'm glad this happened; I've been waiting for more than 5 years for this.

------
jumelles
I can't believe it's taken them this long for proper 2FA.

~~~
lysp
Not proper as it only allows a single key.

~~~
FabHK
You could argue that it’s up to you to have a proper key backup strategy (ie
not Google Authenticator). You don’t have several user names and passwords for
one account, either.

~~~
tialaramex
The specification for WebAuthn (Security Keys) explicitly tells implementers
they SHOULD support multiple tokens because otherwise the recovery scenario is
terrible.

You can't realistically "back up" cheap Security Keys, their whole design is
predicated on your being unable to extract the secret inside them which makes
them work.

~~~
FabHK
Thanks, I stand corrected.

------
trimbo
But I still had to add and verify my email before I could add 2FA.

------
Yizahi
Let me guess (they didn't define it on linked page) - 2FA with a physical
token only works in Googlenet Chrome?

------
ycombonator
And people in the 60s thought we would be commuting in flying cars by now.

------
wyuenho
What took Twitter so long?

