NewsBite

Advertisement

This was published 1 year ago

Twitter is demanding payment for security. What should users do?

By Nick Bonyhady

From Uber to Netflix and Airbnb, getting users hooked on cut-price services before slowly ratcheting up prices is a tried and tested strategy in the technology industry. But applying that same approach to security was all but untested until Twitter, under its new owner Elon Musk, declared mid-February that users would pay to have login verification codes sent via text message.

The new policy, in place from March 20, means users will have to switch to another method of getting the codes, or cough up at least $13 a month, or do without the security feature. Almost every other technology company offers it for free.

Twitter owner Elon Musk has been unrepentant about his plans to charge for text-based login authentication.

Twitter owner Elon Musk has been unrepentant about his plans to charge for text-based login authentication.Credit: Bloomberg

The SMS codes are an example of what is known as two-factor authentication (2FA), or if there are more than two pieces of verification required to log in – multifactor authentication. In short, that means the user needs more than their username and password to access a service.

They must also have a unique piece of data that only they know or can access to log in. Most often, that is a code contained in a text message sent to a user’s mobile phone. The Australian government calls it “one of the most effective ways to protect your valuable information and accounts against unauthorised access”. That is because it works and is simple to set up.

Musk, naturally, disagrees. “Twitter is getting scammed by phone companies for $60 million/year of fake 2FA SMS messages,” he wrote in one tweet. In another, he said that the “use of free authentication apps for 2FA will remain free and are much more secure than SMS”.

Twitter wants to charge users to have login verification codes sent via text message.

Twitter wants to charge users to have login verification codes sent via text message.Credit: Mary Altaffer

The first post refers to the cost of a service like Twitter sending out SMS messages, which individually cost almost nothing but collectively add up. The “fake” reference and the second post’s criticism of the security of SMS messages refers to a phenomenon of hackers impersonating users’ phone numbers.

This could be as manual as convincing a phone company to transfer a users’ number to a new SIM card or much more technically complex.

“SIM swap fraud is growing and it only takes access to your phone number for a hacker to wrongfully prove themselves to be the owner of your social media handle,” said Fran Rosch, chief executive of corporate digital identity management company ForgeRock.

Advertisement
Loading

The alternative, as Musk told Twitter users, is to use an app and there’s a wide range available, with most relying on common industry standards to generate the same kind of codes as are sent via text message.

Among the most popular are Google Authenticator (which works with more than just Google services), Microsoft Authenticator, Authy, and 1Password. The latter also doubles as a password management tool, helping users to keep track of all their passwords, which should ideally be different and lengthy.

To set up these apps, users typically log in to whatever app they are trying to secure, navigate through settings to a two-factor authentication page, and then scan a QR code with their phone to link the verification app to their account. Many authentication services are free.

But while these apps are better, they are also rarely used. Twitter’s most recent data, which is from December 2021, shows that very few of its users have two-factor authentication turned on but that almost 75 per cent of that group use SMS to get verification codes.

Loading

If Twitter users with text-based authentication don’t turn it on by March 20, they will lose it altogether. RMIT professor Aisha Rao said in written comments that Twitter’s change could worsen those users’ security if they don’t realise that other methods are available.

“Social media already has a problem with cybersecurity,” Rao said. Australia’s eSafety Commissioner, Julie Inman Grant, agrees, saying security should be fundamental to social media rather than an add-on that users have to pay for.

“We know that Australians, the end-users of these platforms, want companies to do more to proactively address online safety,” Grant said. “A recent eSafety survey showed that 84 per cent of Australian adults think tech companies have a responsibility for their online safety.”

Twitter no longer has Australian media staff to answer queries.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Technology

Loading

Original URL: https://www.theage.com.au/technology/twitter-is-demanding-payment-for-security-what-should-users-do-20230223-p5cmzx.html