I already know that I’m not the customer for Twitter. Advertisers are the customers. That’s who gives them money, not me.

But it always really hits home that Twitter doesn’t care about me when I try to do anything with it and am confronted with their security choices.

Twitter’s terrible 2 factor authentication choices
Twitter’s terrible 2 factor authentication choices

Two-Factor Authentication (2FA) and Twitter

Unfortunately given the current security landscape of the digital world in which we live, 2FA is a requirement. Your passwords aren’t safe, they get lost all the time and the only way to really help make sure that you don’t loose access to your accounts to some nefarious actor is 2FA.

Given that, Twitter provides three different options to use for 2FA.

  1. Text Message
  2. Mobile Security App
  3. Security Key

Two of these are great, but one is terrible. Text messaging 2FA keys is nothing but a hack waiting to happen. It’s not all that hard for a hacker to spoof text messages to get your 2FA tokens. This has been happening for years and is well known in security circles.

Why on earth is Twitter providing a known insecure method for securing your account? Even worse, why are they using a phone number verification as a password reset requirement with their password reset protection? Especially since I know I have this checked and…didn’t receive any other verification when I reset my password.

If Twitter were really concerned about their users then they’d be taking account security more seriously.

But they won’t. We’re not the customers, we’re the product.

Photo by: rdmarsh