with all Twitter’s growing technical problems, I missed an elephant in the room-sized disaster. Luckily, a friend reminded me that many people use Twitter logins as logins for other sites. Beep! You need to stop doing that right away.
Why? Because part of Twitter’s login system is broken. Twitter text two-factor authentication (2FA) started breaking on Monday, November 14. This comes after Twitter CEO Elon Musk announced that Twitter will “disable bloatware ‘microservices’.”
Part of today will turn off bloatware “microservices”. Less than 20% is actually needed for Twitter to work!
– Elon Musk (@elonmusk) November 14, 2022
Musk can be good rocket launch, but that may not translate into accuracy in identifying microservice bloatware. One or more of these services are necessary to 2FA (two-factor authentication) use text messages. Text, aka SMS, 2FA is the most commonly used form of 2FA. The result of this removal is that if you’ve set 2FA to protect your account from hackers, you can no longer use it to change your password or log back in if you thumb your password. me.
Ian Coldwater, Co-President of Kubernetes Security and Twilio the architect, who knows a thing or two about security and microservices, tweeted, “The microservice that provides 2FA code based on SMS is broken. There are also reports of broken backup codes. If you have SMS 2FA, don’t log out.”
Coldwater recommends staying signed in and changing your 2FA method from text message to email or authentication app or one physical security key (such as a YubiKey).
Too much for Twitter. However, what is likely to be worse is if you use Twitter for single sign on (SSO) on other websites, you may also be blocked from them. As Coldwater tweeted, “If you have any apps or websites you log into to connect to your Twitter account via OAuthI strongly recommend changing that now while you still can.”
To change your Twitter 2FA, go to Settings & Support > Settings & Privacy > Security & Account Access > Security > Two-Factor Authentication.
If text has been selected for your 2FA method, switch from that text to the authentication app or security key. Just follow the instructions, and you should be fine…for now.
Also: Mastodon is not Twitter but it is glorious
Another note: You often see SSO as an invitation on websites as an easy way to log in without creating another password. Instead, simply use your Google, Microsoft, Facebook, Apple or Twitter login and password.
It’s good now. If you trust the main site to be stable and protect your data. But in the current circumstances, Twitter is not trustworthy in that sense.
You should immediately go to those sites where you use Twitter to log in and replace it with something — anything — else. To see what sites you’re using Twitter as SSO for, go to the Twitter website or app and check Settings & Support > Settings & Privacy > Security & Account Access > Apps & session.
Once there, check Connected Apps for apps that have read-write permissions to Twitter or vice versa. Then, check the Account Access History for sites that have recently used Twitter to log in.
Armed with this information, visit the sites and services you’ve found and switch to a different, more stable login and password. The way things are going, it’s only a matter of time before there’s another Twitter tech hack and you don’t want to be locked out of other sites when — not if — Twitter fails.
But related story:
