NCSC: Twitter Users Should Find MFA Alternatives

Written by

Twitter users soon to be stripped of text-based multi-factor authentication (MFA) should urgently find an alternative, the UK’s National Cyber Security Centre (NCSC) has said.

The agency, part of GCHQ, argued that MFA offers consumers “huge benefits” in helping them to secure their online accounts, by adding an extra layer of protection on top of strong passwords and password managers.

Sean D, NCSC technical director for consultancy and advice, said that although text-based MFA – also known as 2FA or two-step verification (2SV) – is vulnerable to bypass, it is better than no MFA at all.

“This feels timely, because I’m seeing a huge increase in the number of phishing attempts in my personal email at the moment,” he added. “Phishing is one way for cyber-criminals to try and get unauthorized access to our accounts and setting up 2SV is really effective to help prevent that.”

In fact, Proofpoint this week claimed to have recorded a 76% year-on-year (YoY) increase in financial losses stemming from phishing attacks in 2022. It added that phishing attacks that included a vishing element hit a peak of 600,000 attempts per day at times last year.

The NCSC pointed Twitter users to try an authenticator app like Google Authenticator or Microsoft Authenticator.

“If you find yourself in a position where a service is withdrawing support for your option to use SMS codes for 2SV, we’d strongly encourage you to replace it with another 2SV method, preferably a better one if you can, rather than leaving yourself potentially vulnerable,” Sean D concluded.

“In fact, even if a service you use isn’t changing your 2SV options, it’s still worth reviewing your choices to see if you’re using the most secure type for your usability and convenience.”

Twitter said last month that non-Twitter Blue subscribers will have until March 20 to find an alternative MFA method, as text messages containing one-time passcodes will be switched off at that time.

A surge in SMS pumping fraud is partly to blame for the decision.

What’s hot on Infosecurity Magazine?