-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
analog_future
Resident Crybaby
Gotta love the strategic late Friday night announcement as well.
Hip Hop
Member
So can anyone tell me about all these shakeups, is Twitter too big now to affect its numbers that they are doing whatever to it, charging prices for basics?
Or is this just a big fuck up waiting to explode? Like is there an alternative or is Twitter here to stay forever regardless of anything?
Or is this just a big fuck up waiting to explode? Like is there an alternative or is Twitter here to stay forever regardless of anything?
RCU005
Member
Authy CEO be like: "Hell yeah!"
I never knew about authentication apps until I moved to a place where I don't get a cellular signal. It was a pain to be able to login to my accounts because I never got the SMS with the code. I began to do research and found out about them. Now all my accounts are secured with 2FA via app.
I never knew about authentication apps until I moved to a place where I don't get a cellular signal. It was a pain to be able to login to my accounts because I never got the SMS with the code. I began to do research and found out about them. Now all my accounts are secured with 2FA via app.
FunkMiller
Member
Lol. Get fucked Elon.
Panajev2001a
GAF's Pleasant Genius
“Thank you, SMS based 2FA is nowhere near as secure as auth apps”. Also not as reliable as without good cellular connection (SMS do not go through the data channel) you are toast.
Some non-zero amount that probably adds up across the userbase.
Most people using 2FA use the text messaging based version, now these people are being told to remove their number from the 2FA account or pay for Twitter Blue.
nightmare-slain
Member
As shit as this is it might actually be a positive if it forces people to use alternative 2FA methods. SMS is probably fine for most people but it's not as secure as using an Authentication app or physical security key. So i can kinda get the reasoning of charging for SMS (if that is indeed their reasoning) but still not defending it. If that's what they are trying to do then just remove SMS 2fa and force people to use an app/key if they want to secure their account.
Last edited:
Thaedolus
Member
But still better than nothing at all, which is where a lot of people may be when they don’t want to/can’t download an authenticator or bother writing down security keys. If the overall rate of users using 2FA plummets due to this, those factors your mentioned won’t matter much to the FTC.
BadBurger
Is 'That Pure Potato'
The point isn't how more effective one solution is compared to another, obviously, it's that Twitter was told to better secure user data end to end. The average user has no fucking idea what a 2FA dedicated app is and isn't technical at all, but they can understand the simplicity of entering a code messaged to their phone. Placing additional burden upon the user would obviously not be something the
Last edited:
ReBurn
Gold Member
Assuming that the average user has the ability to read and can sign in to an online count they should be able to follow the instructions provided for using an Authenticator app. It doesn't require any more technical proficiency than using Twitter itself. Most SMS authentication schemes require you open your SMS app to retrieve an authentication code to provide to the app you're authenticating to. How is opening an Authenticator app to retrieve a code any more technical than opening your SMS app to retrieve one?
If the FTC sees this as a reduction in data security then the FTC are absolutely idiots.
Last edited:
BadBurger
Is 'That Pure Potato'
Twitter is asking users to seek out a third party to provide the security they themselves should be providing gratis, and as easily as possible.
And as someone who has worked in tech and IT for a long time in many roles, including security, you're giving the average person too much credit.
Last edited:
The Cockatrice
Member
jm89
Member
While authenticator apps are more convenient, it's always good to have an sms backup. If something happens to your phone your basically fucked, and have to find a way to reset the MFA without logging in.
With SMS fallback you can transfer your number to a new sim and start using using whatever needs MFA. Although i guess email being a fallback wouldn't make sms MFA necassery.
Last edited:
ReBurn
Gold Member
Use of a third party authentication app like Google's authenticator app doesn't add additional cost for the user. And it's not more difficult than any other common MFA schemes.
I've also worked in software system architecture and data security for nearly 30 years, deploying multiple MFA schemes for many public facing applications. So I feel quite confident in telling you that your concern is misplaced. Authentication apps have been a thing for more than a decade. This isn't springing some new and esoteric technology on the masses. This is a commonly accepted method for providing secure one time passwords for to secure software systems. The entire reason MFA exists is because the average user is a moron.
BadBurger
Is 'That Pure Potato'
I didn't mean to suggest they'd cost the user monetarily. But when we're talking about an app like Twitter, in which most people are using on their phones and in many cases trading on their real identities and sharing and storing real, valuable information, the onus should be upon the platform holder to provide security. Twitter is profiting off the user and their information, after all.
It's like in healthcare IT, my current gig, infrastructure and devops but I had to help out when we set up our 2FA solution (cloud provider). I was part of the team that helped setup the infrastructure and solution between on-prem AD and two sites/data centers and Azure. We are expected to provide this to users free of charge, and to make it as easy and careless to use as possible, including down to how robust and easily accessible support is for it (our help desk).
Of course with HIPAA and all we're held to a higher standard, but I see no reason why a company like Twitter shouldn't at least be expected to provide the bare minimum - especially when under consent decree to do so.
Cyberpunkd
Member
I dont think anyone at Twitter knows what to do anymore, Musk included. It seems to me after years nobody really knows what they want the platform to be.
BadBurger
Is 'That Pure Potato'
If i had to guess, Musk is using the lessons and practices he learned and grew accustomed to at Tesla here. At Tesla he charges users for features of the cars, basically licenses them out. He probably has the same perspective here. He probably is looking at all of the ways people and developers use and interact with Twitter and monetizing each component. Like the API for devs. Only like you said, and I agree, he probably doesn't grasp the ramifications of what he's proposing.
Winter John
Gold Member
Good for them. It don't go far enough sadly. The idiots will make a fuss and threaten to leave like they always do, then they'll go right back to yelling at each other over nothing. If I was in charge of that place they'd be gettin charged by the Tweet. 2 bucks a shot. Then I'd announce a subscription plan to shut the whiners down, cos obviously gettin those morons to cough up 20 bucks a month would be my real goal. Then I'd get some extra moron tax by introducing pod people tiers. Elon or Eton or whatever the fuck your name is. I await your call.
Lunarorbit
Member
Looks kinda like the animation from samurai jack.
Elon musk is out of his mind. Come Tuesday this will be reversed. Seems like such a bad idea. And while not illegal (I have no idea) it seems like having 2FA thru text is an extremely standard procedure for most customers. Could see objections to this very fast
diffusionx
Gold Member
Two more weeks libsisters, two more weeks and it will all come crashing down
ReBurn
Gold Member
Email link authentication is a common MFA fallback but it is less secure overall since email is one of the most commonly compromised systems people use. It's often impossible to tell if someone unauthorized is accessing it. It's also generally more expensive for companies to use it for MFA compared to SMS. SMS as a third leg fallback in an MFA scheme is reasonable if you lose your authentication keys.
I'm not saying that authenticator apps are better from a user experience perspective. I am saying that they are generally more secure from a data security perspective and they don't increase cost for users. MFA by design is intended to force people to take the security of their personal data more seriously. People who switch phone numbers often screw themselves over because their SMS-based MFA dies at that point and unless companies are processing carrier deactivation lists someone who is assigned your old number may be able to access your accounts.
Last edited:
ReBurn
Gold Member
I respectfully disagree. If you're trading on your real identity in a social media setting then you should be primarily responsible for securing your real, valuable information and not trusting it to some company that uses you as their product. App-based authentication is not lessening security of your data. In most ways it's increasing that security because even you can be locked out if you don't possess sufficient means to prove that it is you accessing that data.
I spent 10 years of my career building patient-facing applications for health data management and health insurance claim management. I'm fully versed in HIPAA requirements. I'm currently working in consumer finance tech. In every use case I have provided data security and MFA to users free of charge. I bear the infrastructure costs of services like ADFS, AD B2C and Okta to keep data safe and access secure.
What you're not articulating is how app-based MFA makes security more expensive for users or makes their data less secure. Twitter is not saying they are eliminating data security for people who won't pay. They're saying they're going to stop sending text messages with authentication codes to people and instead will use fast-expiring randomly generated auth tokens instead.
BadBurger
Is 'That Pure Potato'
Just sharing information on how hairy this can all get, but it's relevant, and I'l try to tie it back in:
My network has to provide MFA by tier.
For people like me, who possess a high level of administrative privileges over basically everything (while the various security and ISO groups manage us like hawks as oversight, of course) I can only authenticate using our client tied to a device - in my case my phone. In simplest terms it holds my private key / token, and it must be encrypted (the phone) to insure numerous layers of security. Whether I am logging into a Windows Virtual Desktop session from home or God forbid have to actually go into the office and use a desktop on-prem, I must be able to tell the authority to send me a push, then log onto my phone via biometrics, then confirm. If I lose my phone there is no broken glass solution, it's an entire rough ordeal to regain access. HIPAA is fun.
But for say some random materials management person, they can use SMS or even a phone call to help desk to confirm their identity and get them set back up (it's an involved process, not something that can be easily socially engineered).
Things as insecure and easily compromised as an email link is simply not allowed. It is considered too insecure.
Using this as a springboard back into the discussion at hand: to my knowledge, last I checked anyways, Twitter doesn't even require two factor auth. It's something left up to the user whether or not they want to use. SMS is the easiest method, so people naturally opt for it. If that option is taken away, the likelihood is many will just say F it and drop 2FA all together. An undesirable outcome for all involved.
At the end of the day both my organization and Twitter are expected to protect data. Why should Twitter be able to charge for barebones MFA? Especially while under consent decree? While other organizations like mine are expected to invest millions into providing this security, then millions annually maintaining it? Yes protected health information is more sensitive and valuable to attackers, but the private information of individuals using Twitter is also sensitive and valuable. Information that even partially compromised can be used to later scam them.
This whole proposal just rubs me the wrong way on numerous levels. I don't like how the conversation steers any kind of burden upon the users at all (such as expecting them to use a third party auth app). It should be assumed the user will make mistakes and is vulnerable, so therefore the platform holder should be expected to fill in the necessary gaps.
Asking grandpa with an attractive pot of $400k in his bank account after a long life of working and saving to learn how to use Google Authenticator just so he can continue to see his granddaughter's latest soccer match highlights on Twitter, or else pay $8 a month to go back to practical and simple method he already understands, feels immoral and predatory to me. A violation of trust even.
Maybe I'm just rambling at this point. But I'll just say that if this goes forward it will lead to some terrible outcomes for those in our society most vulnerable to directed cyber attack. All so that an already obscenely rich individual can try to salvage a platform he should have never purchased in the first place.
BadBurger
Is 'That Pure Potato'
Wow, I hit reply on my post before seeing yours, and it looks like on a philosophical level we're kind of diametrically opposed. And this is interesting, This is now the most interesting conversation I have had on GAF. Cheers man.
But I am going to have to obviously disagree
Edit: basically I feel that it's my duty, as the platform holder, to protect the vulnerable. You place that burden entirely upon them. Interesting.
Edit 2: I see you worked within the confines and restrictions of HIPAA in the past - just remember, it changes and becomes more demanding almost every year. I used to only have to take around three training classes and one test a year to prove I understood how to remain compliant. Now it's like nine courses and three tests.
Last edited:
chromhound
Member
Musk is smoking crack
ReBurn
Gold Member
I don't think we're diametrically opposed. I also believe that I am responsible for protecting the data I keep in my systems and I make extraordinary effort to do so. There is normally clear regulation relating to PHI, PCI and PII and the responsibility data system operators have to protect that information. I take that responsibility very seriously. But the data systems that you and I build are not like Twitter.Wow, I hit reply on my post before seeing yours, and it looks like on a philosophical level we're kind of diametrically opposed. And this is interesting, This is now the most interesting conversation I have had on GAF. Cheers man.
But I am going to have to obviously disagree
Edit: basically I feel that it's my duty, as the platform holder, to protect the vulnerable. You place that burden entirely upon them. Interesting.
I think where we differ is the responsibility to protect people from themselves. Twitter giving people a month to migrate to an alternate, no-cost MFA method before disabling SMS-based MFA is reasonable, especially for free social media accounts. If someone is paying them for Twitter access and have payment information on file this does not affect them, and if they have payment information on file but are not paying for access then they're probably an idiot.
Presumably there's not much in there to protect for a free account other than a name, phone number and email address. Those are pieces of information are not typically considered private on their own and people freely put into pretty much everything without thought. If you put them into a social media app that tells you explicitly in their terms of service that they are going to sell that information to third parties in exchange for money to provide free access to you then what can you reasonably expect in terms of protection? They don't even make people use MFA, it's just an option and most people who struggle with the inconvenience of MFA will have never turned it on anyway.
I think that if a person is trading on their name and building a reputation or influence via social media then those people are responsible for the information they share and the consequences of doing so, not the platforms that host them. If your account is that important to you then just pay the money for Blue or use the free, equally secure option.
Twitter is asking people to pay for legacy MFA that costs Twitter money to provide. Time based OTP or security keys are the level of security people need and Twitter provides support for both free of charge.
Your fallback should be a hardware security key. More secure than phones and nearly universal. SMS MFA is costly, less secure, and troublesome if you need to change your number.
Ozzy Onya A2Z
Member
Er, SMS is also using a third party, phone/telco providers and not a secure transmission either. Generally SMS hops many third party networks for each message, all insecure.
BadBurger
Is 'That Pure Potato'
Security is provided at levels higher than the physical and data link layers.
It doesn't matter if a packet travels over electricity in an ethernet cable, then via pulses of light in fiber, and finally via radio waves for wifi, over 900 hops, things like encryption and trust at higher levels provide protection of the data.
Last edited:
Ozzy Onya A2Z
Member
No SMS is sent in the clear, unencrypted. Packet sniffing, router hijacking, phone cloning, carrier staff reading customer SMS and many more techniques expose the insecurities of SMS. There are devices out there to literally intercept SMS messages en masse from a local wireless tower.
Auth apps are secure, end to end.
Tams
Member
This is Twitter, a luxury, not healthcare though.Wow, I hit reply on my post before seeing yours, and it looks like on a philosophical level we're kind of diametrically opposed. And this is interesting, This is now the most interesting conversation I have had on GAF. Cheers man.
But I am going to have to obviously disagree
Edit: basically I feel that it's my duty, as the platform holder, to protect the vulnerable. You place that burden entirely upon them. Interesting.
Edit 2: I see you worked within the confines and restrictions of HIPAA in the past - just remember, it changes and becomes more demanding almost every year. I used to only have to take around three training classes and one test a year to prove I understood how to remain compliant. Now it's like nine courses and three tests.
Azurro
Banned
There is no alternative to Twitter.
MilkLizard
Member
Imagine paying for the least safe 2FA option. Can´t make that shit up.
LiquidMetal14
hide your water-based mammals
Considering it's been losing money you can understand the need to make it viable from a financial perspective.
People can laugh or roll their eyes but I would be trying to figure out ways for this to work given it's one of the biggest social media platforms in the world.
People can laugh or roll their eyes but I would be trying to figure out ways for this to work given it's one of the biggest social media platforms in the world.
Experienced IT guys thinking SMS is encrypted explains why healthcare security is so shit. This is the same industry that until recently had entire networks of patient data in plaintext because it was assumed an attacker couldn't "plug in".