English
Français
Deutsch
Italiano
Português
Русский
Español
ไทย
Türkçe
简体中文
日本語
한국어
हिन्दी
Twitter has been in the news again, and this time because of security. The company has announced that it will only allow its users to secure their accounts with SMS-based two-factor authentication (2FA) if they pay for a Twitter Blue subscription. This surprised a number of people (eg, Davey Winder here in Forbes) because in 2023 no-one should be using SMS for “security” in any circumstances: Not banks, not fintechs, not payment companies, not governments, not Twitter, not anyone.
SMS Is Not Security
SMS was deprecated as an authentication method by the US Department of Commerce’s National Institute of Standards and Technology (NIST) back in July 2016 when they said that SMS is deprecated, and will no longer be allowed in future releases of this guidance. Therefore it seems to me that we should by now have stopped using the phrase “SMS security” completely! Charles Brookson, then the head of the security group at the mobile operators’ association (the GSMA), made this point 15 years ago. I was there. He gave a talk about the use of SMS for mobile banking and payment services and made the point that SMS has, to all intents and purposes, no security whatsoever. Yet as of today, the default 2FA option for all kinds of fintech services remains SMS.
Support authors and subscribe to content
This is premium stuff. Subscribe to read the entire article.
