Skip to main content

You Must Remove Text Message Two-Factor Authentication

Rishipal Yadav
Author
Rishipal Yadav
Assistant Manager – Cybersecurity @ Uniqus Consultech · CISSP · GCP-ACE · M.Eng Cybersecurity, UMD · Writing at not your CISO

This article was originally published on not your CISO on Medium. Read the full post →

Last night, just before I went to sleep, I decided to check Twitter. The first thing I saw was the announcement that Twitter was removing SMS-based two-factor authentication for non-Twitter Blue users. The reaction was predictably split — some celebrated, some panicked.

Both reactions missed the point.

SMS-based 2FA is not secure. It is better than a password alone, but SIM-swapping attacks have made it a weak link that sophisticated attackers exploit routinely. The Twitter decision — however poorly communicated — is directionally correct. The question for security teams and individuals alike is: what replaces it?


Continue reading on Medium →