Adding an extra layer of security to your online accounts is a fundamental step to protect your digital life from hackers, but what's the point if the new methods are just as vulnerable as the old ones?
It's a question some Twitter users are asking after discovering that the two-factor authentication on their accounts isn't as secure as it seems.
But let's back up for a second. No matter who you are, having your Twitter hacked would be a major bummer. In the case of political figures like Donald Trump, however, a hijacked account means more than just a headache — think of the havoc a fake policy pronouncement could wreak?
And so it was welcome news back in 2013 when Twitter rolled out two-factor authentication (2FA) to all of its users. This added layer of security allows users to protect their accounts, even if their passwords had been stolen, by requiring a second login credential sent via text message.
Great, right? Well, kinda.
While SMS-based 2FA does provide additional protection, there's a big problem with it. Namely, SMS itself isn't secure. A flaw in what is known as Signaling System 7 protocol (SS7) — something that allows different phone carriers to communicate back and forth — means that hackers can redirect texts to practically any number they want.
That means your SMS verification code could end up being sent directly to the cellphone of your hacker.
And this is not just theoretical. In January of 2017, reports Ars Technica, a group of criminals exploited this flaw to snatch victims' SMS verification codes and drain their bank accounts.
So, with text-based 2FA known to have a security hole so large you could drive a truck through it, Twitter helpfully introduced additional ways to set up 2FA. Users who already have access to their accounts via the Twitter mobile app can use something called a login code generator, but as this requires already being logged in on mobile it doesn't help if you're signed out.
The other method, a 3rd-party authenticator app,