Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to Keep Your Twitter Account Secure Without Having to Pay for the Privilege

The way this whole thing has been phrased is so inflammatory and misleading. I don’t know if it’s Twitter’s fault for bungling the announcement or the media’s fault for trying to paint every single thing Twitter does in the worst light possible. Probably a combination of both.

No one should be using SMS two factor for anything, ever. Only the worst companies offer it as the only option. OTP based two factor is the only way to go, and it should have been phrased this way in Twitter’s announcement. The headline should have been “Twitter stops supporting old insecure SMS based two factor.”

But the fact that they thought it would be a good idea to keep it and charge for it is baffling.
 
  • Like
Reactions: chabig and MaverickCC
solarmon said:
Just remember: every minute spent on Twitter is time you’ll never get back. Musk stole it from you, for profit. And he does this all day long.
Click to expand...

We really needed Musk to personify everything that’s wrong with social media? The left used to love Twitter so much, it was their personal echo chamber. Now that Musk owns it everyone suddenly realizes how bad it has always been?
 
  • Like
Reactions: _Spinn_
Rogifan said:
Since they’re getting rid of SMS 2FA for non-paid accounts why didn’t they just get rid of it all together? Treating a less secure authentication method as a paid perk is weird.
Click to expand...
If we assume that Twitter is perpetually striving to make non-paying users look untrustworthy and feel like their data is not safe without Twitter Blue, then taking away the almost setup-free SMS 2FA away does make sense.

Yes, there are much secure 2FA methods, many 100% free to use. But most don’t understand or use those.
 
ApplesAreSweet&Sour said:
If we assume that Twitter is perpetually striving to make non-paying users look untrustworthy and feel like their data is not safe without Twitter Blue, then taking away the almost setup-free SMS 2FA away does make sense.

Yes, there are much secure 2FA methods, many 100% free to use. But most don’t understand or use those.
Click to expand...

It’s past time that they learned.
 
  • Disagree
Reactions: nrose101
2FA via Text is not as secure as using a 2FA via an app like 1Password anyway. In addition, this isn’t a strange decision, it’s a cost savings decision. They are paying to send those texts. Acting like they are making it less secure os ridiculous considering how Tim laid out how to setup a safer 2FA with iOS or other apps.
 
ifxf said:
Twitter is one of the accounts, for me, if taken over, I will just create another account. I don’t use my main email account on any of these sites, since using an auth app is too much a hassle for basically a viewing site.
Click to expand...

Hassle? Maybe it’s different outside the apple ecosystem but the venn circle for hassle doesn’t intersect anything in my iOS Keychain TOTP experience.

If I was a hacker this is exactly what I would write in a forum such as this hoping it might gain traction generally.

By giving the impression it’s hard to setup or use or not of greater security or utility some folks may not bother.

Because as a user of the iCloud Keychain’s built in TOTP authenticator I know that the switch from SMS to Keychain TOTP for a site takes <2 min and use during log in is as easy as pushing a button atop the keyboard to load the TOTP code into the login form.

When SMS 2FA became available years ago I went thru all my sites and added it. I periodically checked those that didn’t offer it and add where it becomes possible.

Since iCloud Keychain TOTP authenticator became available last year where possible, I upgraded all my previous SMS offering sites to TOTP and upgraded any 1FA sites now offering TOTP as well.

At the same time, I:
- (upgraded SMS to TOTP where available)
- (upgraded 1FA to TOTP where available)
- saved each site specific recovery key and one time codes in the Keychain’s notes section.
- removed my phone number. (This being a common static element that can be used to fingerprint a user).
- upgraded sites from a couple of common email addresses to unique Hide My Email iCloud addresses for EACH site (this is possible with iCloud+ for 0.99$/mo (also created a new gmail account to be used as the common inbox for all email being relayed through an iCloud address).
- where possible converted from a username for login authentication to the iCloud email address.
- upgraded 15-char site unique Keychain generated p/w’s to newer 20-character standard.
- where appropriate removed as much biographical info as possible, if non official used 6/6/66 as a common bogus birthday (if everybody did this it would further frustrate fingerprinting).
- for sites using them, I simplified all challenge questions according to a common standard and made a note of last word in question and the corresponding bogus answer. (Similarly, I noted any PIN or telephone passphrase in Keychain’s notes section).
- made notes in Keychain for the alias name I used on each site, what if any phone number, address, or birthday (real or bogus) is there.
- made a note of what credit card any site uses for recurring charges (as a general practice I never store card details except for recurring charges.)
- made a note in Keychain of 2FA status, so I can search it for biennial upgrade review, For example: 1FA, 2au (Keychain authenticator), 2ap (app based) 2sm, 3FA (available but not used bc not available where I live).

Now:
- I have a searchable overview of all logging authentication info and type, as well as any other security related info and biographical info.
- if I get spam via a unique iCloud email address, I know exactly where the site problem is and can go there and only there and quickly change e/m address, p/w, reset TOTP and RK or OTCs (as opposed to doing nothing because I’m not going to change anything on one let alone all 350 of my authentication records if I don’t know which site breached.)
- I can periodically review 2te or 1FA accounts for upgrade possibilities to 2au.
- I can soon abandon my old utility email addresses which have become spam receivers due to so many breaches over the years (I will keep these for a year, and monitor for any mail from any site I may have missed or which may have not implemented its new iCloud address properly; there were a couple that justified this after the fact.)

Of course it takes time to do all this but it compartmentalizes everything, and makes maintenance and breach repair supremely uniform and easy.

Take your time and peck away at it. It maybe took me a month or so to get thru all this. It may take you longer if you have not done any of these elements before. (Did on my iPhone while watching something Picture in Picture in corner.)

But in the end you will have peace of mind knowing you have the best possible security setup before a problem happens and a single cleanup to do should any breach become known to you (via spam, news, or contact from site.)
 
  • Like
  • Love
Reactions: MaverickCC, GDF, jooish and 1 other person
solarmon said:
Just remember: every minute spent on Twitter is time you’ll never get back. Musk stole it from you, for profit. And he does this all day long.
Click to expand...
I get your point. Own your power.
The time for private people on Twitter has totally ended. I have absolutely no need to use mine.
But it actually was dying before Musk took over. But that transition made is just so much clearer.

I may use it only for professional purpose later, or delete it then, and creating a new professional account at the time if I find it useful. Or not at all. Time will tell. It's stone dead privately anyway.
 
contacos said:
I kept mine secure by deleting it. You should try it sometime. It’s also great for one’s mental health (sounds more serious than it is). I used to engage with strangers, which always put me in a bad mood afterwards. Now that I deleted it, I am like why did I care what strangers were thinking! So silly
Click to expand...
Deleting that and Facebook and engaging the real world more did wonders for my health.
 
  • Like
Reactions: TheYayAreaLiving 🎗️ and Lioness~
CarAnalogy said:
The way this whole thing has been phrased is so inflammatory and misleading. I don’t know if it’s Twitter’s fault for bungling the announcement or the media’s fault for trying to paint every single thing Twitter does in the worst light possible. Probably a combination of both.

No one should be using SMS two factor for anything, ever. Only the worst companies offer it as the only option. OTP based two factor is the only way to go, and it should have been phrased this way in Twitter’s announcement. The headline should have been “Twitter stops supporting old insecure SMS based two factor.”

But the fact that they thought it would be a good idea to keep it and charge for it is baffling.
Click to expand...
The media wouldn’t phrase it so negatively if Twitter was implementing another more secure 2FA method that’s free for all users, Blue or not, and blocking all usage of the old SMS-based 2FA.

That could have been a good move to ensure less bots and identity theft, kinda like a “security update” for all accounts.

But Twitter didn’t stop supporting the old and less safe SMS 2FA for Blue so that can’t be the headline.

They’re just taking it away from non-paying users, forcing them to go Blue if they want the outdated 2FA method back.

Taking away basic features and making them premium perks for a monthly subscription fee -It’s standard practice for businesses in 2023.
 
  • Like
Reactions: CarAnalogy
To all the smug ones who always respond to articles like this with "Just don't use Twitter/Facebook etc"; you do realise it's possible for intelligent people to use social media as a tool without getting dragged into the 'dark side' of it?

For example, if I want to reach a company's customer service, I generally find I can try phoning them, end up on hold for 30 minutes and then speaking to someone I can't understand; I can try sending an email which I might get a response to after a week, or I can Tweet them and often get a reply within an hour.

It seems to be cool to adopt a blanket condescending attitude to social media these days, but away from what is undeniably the cesspit side of it, there are still many useful and legitimate uses.
 
  • Like
Reactions: dk001, nrose101, jooish and 1 other person
Robert.Walter said:
Hassle? Maybe it’s different outside the apple ecosystem but the venn circle for hassle doesn’t intersect anything in my iOS Keychain TOTP experience.

If I was a hacker this is exactly what I would write in a forum such as this hoping it might gain traction generally.

By giving the impression it’s hard to setup or use or not of greater security or utility some folks may not bother.

Because as a user of the iCloud Keychain’s built in TOTP authenticator I know that the switch from SMS to Keychain TOTP for a site takes <2 min and use during log in is as easy as pushing a button atop the keyboard to load the TOTP code into the login form.

When SMS 2FA became available years ago I went thru all my sites and added it. I periodically checked those that didn’t offer it and add where it becomes possible.

Since iCloud Keychain TOTP authenticator became available last year where possible, I upgraded all my previous SMS offering sites to TOTP and upgraded any 1FA sites now offering TOTP as well.

At the same time, I:
- (upgraded SMS to TOTP where available)
- (upgraded 1FA to TOTP where available)
- saved each site specific recovery key and one time codes in the Keychain’s notes section.
- removed my phone number. (This being a common static element that can be used to fingerprint a user).
- upgraded sites from a couple of common email addresses to unique Hide My Email iCloud addresses for EACH site (this is possible with iCloud+ for 0.99$/mo (also created a new gmail account to be used as the common inbox for all email being relayed through an iCloud address).
- where possible converted from a username for login authentication to the iCloud email address.
- upgraded 15-char site unique Keychain generated p/w’s to newer 20-character standard.
- where appropriate removed as much biographical info as possible, if non official used 6/6/66 as a common bogus birthday (if everybody did this it would further frustrate fingerprinting).
- for sites using them, I simplified all challenge questions according to a common standard and made a note of last word in question and the corresponding bogus answer. (Similarly, I noted any PIN or telephone passphrase in Keychain’s notes section).
- made notes in Keychain for the alias name I used on each site, what if any phone number, address, or birthday (real or bogus) is there.
- made a note of what credit card any site uses for recurring charges (as a general practice I never store card details except for recurring charges.)
- made a note in Keychain of 2FA status, so I can search it for biennial upgrade review, For example: 1FA, 2au (Keychain authenticator), 2ap (app based) 2sm, 3FA (available but not used bc not available where I live).

Now:
- I have a searchable overview of all logging authentication info and type, as well as any other security related info and biographical info.
- if I get spam via a unique iCloud email address, I know exactly where the site problem is and can go there and only there and quickly change e/m address, p/w, reset TOTP and RK or OTCs (as opposed to doing nothing because I’m not going to change anything on one let alone all 350 of my authentication records if I don’t know which site breached.)
- I can periodically review 2te or 1FA accounts for upgrade possibilities to 2au.
- I can soon abandon my old utility email addresses which have become spam receivers due to so many breaches over the years (I will keep these for a year, and monitor for any mail from any site I may have missed or which may have not implemented its new iCloud address properly; there were a couple that justified this after the fact.)

Of course it takes time to do all this but it compartmentalizes everything, and makes maintenance and breach repair supremely uniform and easy.

Take your time and peck away at it. It maybe took me a month or so to get thru all this. It may take you longer if you have not done any of these elements before. (Did on my iPhone while watching something Picture in Picture in corner.)

But in the end you will have peace of mind knowing you have the best possible security setup before a problem happens and a single cleanup to do should any breach become known to you (via spam, news, or contact from site.)
Click to expand...
Great post (unfortunately a tad astray from the topic at hand so it won’t get the traction it deserves).

I do the same in a password manager that implements tags. Many of the same parameters you list are tags in my system so it makes it easy to see, for example, sites that have 2FA via TOTP vs hardware token.
 
Twitter still allows hardware keys which is the ultimate 2FA, completely immune to phishing unlike SMS/TOTP based schemes.

Why you’d want to give Twitter (or any non-financial company) your personal mobile phone number is beyond me anyways.
 
Lioness~ said:
I get your point. Own your power.
The time for private people on Twitter has totally ended. I have absolutely no need to use mine.
But it actually was dying before Musk took over. But that transition made is just so much clearer.

I may use it only for professional purpose later, or delete it then, and creating a new professional account at the time if I find it useful. Or not at all. Time will tell. It's stone dead privately anyway.
Click to expand...
Does Twitter recycle usernames? Many sites do.

If so — and depending on your username — it might be better to just sit on your account and not use it instead of deleting it.
 
  • Like
Reactions: nrose101
In a related development:

Rumors are flying that Elon will kill the Macrumors Twitter handle, citing a threat to gouge revenue. :cool:
 
riverfreak said:
+1

I also like Strongbox which lets you keep your TOTP codes in an encrypted vault.
Click to expand...
I use Strongbox as my main password manager as well. However, I don't use it for TOTP and the reason is you put yourself at risk combing that in a manager, in my opinion. If you have trouble with your password manager in part or in whole, you want to be able to still access TOTP ability.
 
  • Like
Reactions: riverfreak
EllZ89 said:
SMS 2FA is nice when the code appears above your keyboard so you dont need to type it or even flick over to the SMS and copy and paste it in, but app based MFA is way more secure. id rather the extra few seconds to use app MFA than pay to receive it by SMS.

charging for SMS 2FA, that takes courage.
Click to expand...

1Password and iOS keychain both provide auto fill for 2FA.
 
  • Like
Reactions: GabooN
EllZ89 said:
SMS 2FA is nice when the code appears above your keyboard so you dont need to type it or even flick over to the SMS and copy and paste it in, but app based MFA is way more secure. id rather the extra few seconds to use app MFA than pay to receive it by SMS.

charging for SMS 2FA, that takes courage.
Click to expand...
Doing the 2FA through iOS will do that too :)
 
It's easy. Just delete your Twitter account. I did. I didn't care what Musk said or did, but once he killed Tweetbot, I was done. Twitter can die off or grow into the next Apple. Either way, it makes zero difference to me.
 
Wow, this is absolutely asinine! So they want their platform to encourage both insecure and secured accounts? So they're willing to destroy their own reputation in the process. Ok. Fine.
 
  • Like
Reactions: nrose101
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back