Twitter 2FA change is ringing my cybersecurity alarm bells
A few days ago, Twitter made an announcement that made my hair stand on end: The blue bird social media platform will now only allow users who pay for a Twitter Blue subscription to utilize two-factor authentication (2FA) to help secure their accounts against hackers and cyber criminals. This means that anyone who isn’t willing to pay a monthly $8 (iOS) or $11 (Android) fee will now be unable to keep their account as secure as possible. (Read this NPR story for a good breakdown of the announcement.)
That “thunk” you heard was my head hitting my desk.
Can we have some real talk for a second here, please? The TLDR version of this post: This is a terrible idea for a myriad of reasons, and companies need to be really worried about this from a cybersecurity perspective.
This is going to be a lengthy post, but I feel the need to really talk about this issue completely:
Why it is a shockingly horrible idea
Why it should be a giant red flag to companies and organizations that have not put proper social media governance in place
What it could mean for the future of Twitter
What you should do about it
WHY IT IS A SHOCKINGLY HORRIBLE IDEA
Let’s start at the beginning. If you don’t know what two-factor is, that’s the fancy name for the process where you get a text message with a code to enter in order to log into your account. It’s an extra safety layer. It’s another way to verify it’s really you who wants to log in and not a crook. It inherently makes your account safer. It is cheap, reliable and proven technology. And it is offered for free by every major tech company from Google on down because it’s a feature that makes every platform safer to use. It’s a win-win. And quite honestly it’s table stakes these days for any major tech platform (social media or otherwise). It’s an industry standard.
To be fair, Twitter’s announcement DOES say that people who do not subscribe to Twitter Blue will still be able to use 2FA via an authenticator app (like Microsoft Authenticator) or via a security token. It is only 2FA via text message that is being eliminated. I could see those solutions being used by corporations perhaps with authenticator apps in place already, or maybe by extremely security-minded folks, but let’s be honest. The majority of consumers stick with the system default, and most will be happy the annoying codes went away.
Now, let’s talk about the aforementioned myriad of reasons this is a painfully tone-deaf and stupid move by Twitter. Yes, I said stupid. Because it’s stupid.
Making it less safe makes it less profitable: I am assuming (possibly incorrectly) that Elon Musk’s overall goal is for Twitter to make money some day. So it seems super odd for him to make a change that makes the tool less safe in such an obvious cash grab kind of way. If consumers don’t think your tool is safe, they won’t use it. No users = no ad dollars = no profits.
Changing consumer behavior is hard. In my 10 years covering retail and consumer behavior as a newspaper reporter (before my social media days), I learned several truths. Americans always want a bargain. They do not like to pay for stuff. And they certainly don’t like paying for stuff that used to be free. They also LOVE free stuff. So taking away something that was free and instituting a charge for it is straight-up guaranteed to be a terrible idea. Then Twitter made it optional – and when push comes to shove, most people are not going to value their account security enough to fork over $80-$110 a year for one tool/platform. In addition, let’s not forget that consumers are being nickeled and dimed to death right now by streaming media services. The last thing anyone wants is another $10 monthly charge because we all have roughly 12 of those already. I predict the adoption rate on Twitter Blue will be very low after the change – which means a large percentage of users will now be less safe in a meaningful way.
People’s passwords suck. Why do I say those users’ accounts will be meaningfully less safe? Raise your hand if your password includes the name of your child, your pet, your address, your spouse’s name, your alma mater, the year you graduated, the year you were born or your birthday. Believe it or not, we are not password masterminds, people. Raise your hand if your password is “password.” (Seriously if this is you, read this and change that immediately. Go now! You can come back and read the rest of this later.) All on their own, a shocking number of passwords are not hard to guess.
This ship has sailed. You just can’t charge for something that has been free forever and is free from everyone else in the world. Consumers won’t let you.
They DO have competition. Users of any service are fickle. It’s not like Twitter is the only girl at this dance.
The liability. I see two possible ways this opens Twitter up to risk (disclosure: I am obviously not a lawyer). First, if a bunch of user accounts get hacked because of the lack of security, I could see users suing Twitter for damage to their brand, personal image, company, etc. If a big brand comes in with their legal team, things could get interesting quickly. In additon, if enough general users of Twitter have issues like this, or if there is a large wave of lawsuits around this issue, then Twitter is dealing with a reputational issue of its own causation – which is always such an awesome feeling.
WHY THIS IS A GIANT CYBERSECURITY RED FLAG FOR COMPANIES AND ORGANIZATIONS
I can tell you from first-hand experience that most companies are not ready for a major social media cybersecurity event. Most companies have terrible password management, no protocols for managing passwords, changing passwords or even knowing the passwords. This results in all kinds of chaos all the time. The larger the organization, the more complex the issue. This is how you wind up with social media accounts that no one at the company can access. This is how you wind up with an ex-intern from four years ago still being able to log into the corporate Twitter account. (For more on governance, please read your heart out over here.) So add to this already-chaotic picture the removal of one of the key security tools that is actually in place and well… the passwords are ripe for the picking.
To be honest, managing passwords at the organizational level is extremely difficult. Password management needs to be centralized and managed like identity management of other things like email addresses. And so the social media team is always left holding the bag on keeping everything organized and accounted for. In the cases of the world’s largest companies, this can mean they are managing passwords, access and login credentials for hundreds of accounts and thousands of people – not to mention partners, agencies and contractors who may work on social media. So removal of 2FA, which is kind of the industry bare minimum, is horrifying.
As I said above, it is possible for companies to use 2FA via a perhaps already-in-place security authenticator app, But the changes take place on March 20. So the time to discuss it is right now.
Devil’s Advocate. If I am totally wrong and this takes off like wildfire, it means social budgets will need to grow this year and into next as a cost of doing business. It will be a fixed cost. Let’s say my company has 50 Twitter handles across the world. As I understand it, they’d be paying $8-11 x 50 x 12 months = $4,800 - $6,600 annually. For teams with small budgets, that’s a big deal. And what if Meta follows suit? And TikTok? On the positive side, this could force companies to be more judicious about their overall social media footprint and perhaps cull channels that are not providing ROI. For most companies, this would not be a bad thing.
WHAT THIS COULD MEAN FOR THE FUTURE OF TWITTER
I am not a fortune teller. But I always have a guess. :-) I’ve already written about how the chaos at Twitter and mass exodus of users may impact companies’ ability to data mine Twitter conversations the way they do today in a practice called social listening. And looking at it through this lens, I feel the need to add that it feels like Twitter is approaching some sort of point of implosion. People are tired of the constant stream of capital C Crazy happening at Twitter HQ. They are exhausted from continuous announcements and changes. And they are frustrated by tech glitches caused by poorly executed and abrupt changes. I just don’t know how much more people are willing to take before they truly just stop caring and go somewhere else for their dopamine and doomscrolling needs. I wonder if other platforms will see a boost in metrics as people move away from Twitter… and if they do, who will be the winner? (Woah, deep thoughts.)
WHAT YOU SHOULD DO ABOUT IT
Hell yes, I made you read all the way down here to get to the “what to do about it” part. For the record, I don’t feel bad about it. But I won’t make you wait anymore. Anyone out there reading this – individual, small business or large enterprise corporation – you should go shopping for a password management tool NOW. Like NOW NOW. Here’s the primer you didn’t know you needed:
What is a password manager?
A password manager is a tool that helps you manage your passwords. It keeps all of your passwords in an online encrypted “vault” and then all you have to know is your one single master password to open your vault. For an organization, these can be used to store all of the company’s passwords in a centralized and safe place. Then the administrator can provision individual people with rights to use a password. In addition, those users get to use the password without actually ever getting to read or see the password. And in addition to that, you can change a password for any account on a dime, instantly updating it for anyone who has rights to use it. They are pretty slick. They are way safer than however you are currently saving your passwords – and by the way, Excel spreadsheets and password-protected PDFs that you share along with the password are not secure!
Really? Another tool?
Yes. I know that most companies will balk at yet another tool. And I have seen companies (incorrectly) put it in the “nice-to-have” column. But I do truly think this new change from Twitter forces it into the “must-have” column. I would much rather tell you to spend your money on a password tool that offers 2FA to protect ALL of your accounts than fork over $10 per account per month to the blue bird. Plus, please, let’s not validate this idea. Lest we all have to start paying $10 per channel on every platform. Also, did I mention, my top tool in this space is dirt cheap?
OK, so what’s my recommendation?
I used to consistently recommend two tools in this space, and sadly now that list has been whittled to one. LastPass has had several recent cybersecurity issues including hackers stealing customers’ encrypted vaults. The hackers still need their master passwords, but as previously discussed, this is not a particular strong suit for a lot of humans. The theory is that the hackers will basically just start attempting passwords in sequence until they hit on some that open a vault.
So, the top of my very short list is now Keeper Security. Keeper is a great tool. Full disclosure, I do not get paid by Keeper to recommend it, and I AM a personal user of their tool. It’s easy to use, works pretty seamlessly on mobile and I DO recommend it. Personal plans start at $3 a month and there’s a family plan that gives each person their own vault but allows you to share passwords with each other. It’s nifty and is $6.25 a month. And if you’re a company, here’s the business pricing. To be transparent, there are also a number of other tools in this space that I am sure others would recommend. This is the one I recommend. But do feel free to do your own research, read some reviews.
Just remember Any password manager is better than none.