This article was originally published on not your CISO on Medium. Read the full post →
Last night, just before I went to sleep, I decided to check Twitter. The first thing I saw was the announcement that Twitter was removing SMS-based two-factor authentication for non-Twitter Blue users. The reaction was predictably split — some celebrated, some panicked.
Both reactions missed the point.
SMS-based 2FA is not secure. It is better than a password alone, but SIM-swapping attacks have made it a weak link that sophisticated attackers exploit routinely. The Twitter decision — however poorly communicated — is directionally correct. The question for security teams and individuals alike is: what replaces it?