If ever there was a surefire way to sour users against a two-factor authentication system that was already highly flawed, Twitter has found it. On Tuesday, the social media site said that it used phone numbers and email addresses provided for 2FA protection to tailor ads to users.
Twitter requires users to provide a valid phone number to be eligible for 2FA protection. A working cell phone number is mandatory even when users’ 2FA protection is based solely on security keys or authenticator apps, which don’t rely on phone numbers to work. Deleting a phone number from a user’s Twitter settings immediately withdraws account from Twitter 2FA, as I confirmed just prior to publishing this post.
Security and privacy advocates have long grumbled about this requirement, which isn’t a condition of using 2FA protection from Google, Github, and other top-ranked sites. On Tuesday, Twitter gave critics a new reason to complain. The site said it may have inadvertently used email addresses and phone numbers provided for 2FA and other security purposes to match users to marketing lists provided by advertisers. Twitter didn’t say if the number of users affected by the blunder affected was in the hundreds or the millions or how long the improper targeting lasted.
Company officials wrote:
We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.
Security advocates, including Matt Green—a Johns Hopkins professor specializing in cryptography—wasted no time castigating Twitter for the gaffe.
“In all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system,” he wrote on Twitter. “This is like using raw meat to secure your tent against bears.”
In all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system. This is like using raw meat to secure your tent against bears.
— Matthew Green (@matthew_d_green) October 8, 2019
Not all 2FA was created equal
Two-factor authentication has emerged as the single-most effective means for protecting accounts against phishing and so-called credential-stuffing attacks (the latter uses passwords swept up in breaches on one site to guess passwords on unrelated sites). As the name suggests, 2FA requires a factor—for example, a security key or a fingerprint—in addition to a password to successfully log in from a device that has never accessed the account before.
Over the past few years, security practitioners have increasingly turned away from 2FA based on SMS text messages. The reasons: (1) attackers can take control of users’ phone numbers by impersonating the owners and getting the carrier to swap out the SIM card, and (2) SMS messages can be hijacked through weakness in the Signalling System No. 7 routing protocol that cellular carriers use to make their networks interoperable. Attackers have been known to actively exploit these weaknesses more than once. A far more effective means of 2FA relies on physical security keys that connect over USB or NFC interfaces or—less secure but still better than SMS—one-time passwords generated by authenticator apps. Twitter allows either form of 2FA. Both require a user to provide a phone number.
Twitter signals a change is coming
Twitter representatives declined to answer on the record why a phone number is required to use 2FA. A representative on background, however, said that the requirement is based on previous experiences in which users frequently lost access to other 2FA methods and were locked out of accounts with no way to recover. Twitter officials now recognize that tying 2FA to a phone number isn’t ideal, and they are looking for ways to decouple the two in the future.
Last year, Facebook was outed for using 2FA-provided phone numbers to send notifications that weren’t related to security. The social network said the behavior was the result of a bug.
While SMS-based 2FA isn’t ideal, it’s still better for most people than no 2FA at all—at least when services don’t use phone numbers for marketing purposes.