Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to Keep Your Twitter Account Secure Without Having to Pay for the Privilege

Lol…ppl are so spoiled these days. The sense of entitlement on a free service is hilarious. “How dare u on this free service I’ve been using for decades try to charge me for a premium security feature that you (the corp) have to pay some other company to enable 2FA infrastructure on!”
 
  • Angry
Reactions: nrose101
I set up Keychain 2FA. How do I get the code to pop up if I am logging in a web browser on my PC? Do I really need to open up the passwords area in settings to get the code? Will it not pop up like apple id verification codes?
 
It was great for quick news blips and was first to notify me when a celebrity died, but otherwise it became a political mess and I just found no value it. When I heard Elon might be taking over I decided it was enough and deleted it. I don't regret it, and it was the only social media thing I really participated in.
 
no_idea said:
Lol…ppl are so spoiled these days. The sense of entitlement on a free service is hilarious. “How dare u on this free service I’ve been using for decades try to charge me for a premium security feature that you (the corp) have to pay some other company to enable 2FA infrastructure on!”
Click to expand...
Providing 2FA — even via SMS — is a core component of running a service in 2023. It has nothing to do with entitlement.

Now, if you had argued that people were lazy because they won’t switch to other provided 2FA mechanisms, well then I’d be in agreement with you.
 
  • Like
Reactions: no_idea
Robert.Walter said:
Hassle? Maybe it’s different outside the apple ecosystem but the venn circle for hassle doesn’t intersect anything in my iOS Keychain TOTP experience.

If I was a hacker this is exactly what I would write in a forum such as this hoping it might gain traction generally.

By giving the impression it’s hard to setup or use or not of greater security or utility some folks may not bother.

Because as a user of the iCloud Keychain’s built in TOTP authenticator I know that the switch from SMS to Keychain TOTP for a site takes <2 min and use during log in is as easy as pushing a button atop the keyboard to load the TOTP code into the login form.

When SMS 2FA became available years ago I went thru all my sites and added it. I periodically checked those that didn’t offer it and add where it becomes possible.

Since iCloud Keychain TOTP authenticator became available last year where possible, I upgraded all my previous SMS offering sites to TOTP and upgraded any 1FA sites now offering TOTP as well.

At the same time, I:
- (upgraded SMS to TOTP where available)
- (upgraded 1FA to TOTP where available)
- saved each site specific recovery key and one time codes in the Keychain’s notes section.
- removed my phone number. (This being a common static element that can be used to fingerprint a user).
- upgraded sites from a couple of common email addresses to unique Hide My Email iCloud addresses for EACH site (this is possible with iCloud+ for 0.99$/mo (also created a new gmail account to be used as the common inbox for all email being relayed through an iCloud address).
- where possible converted from a username for login authentication to the iCloud email address.
- upgraded 15-char site unique Keychain generated p/w’s to newer 20-character standard.
- where appropriate removed as much biographical info as possible, if non official used 6/6/66 as a common bogus birthday (if everybody did this it would further frustrate fingerprinting).
- for sites using them, I simplified all challenge questions according to a common standard and made a note of last word in question and the corresponding bogus answer. (Similarly, I noted any PIN or telephone passphrase in Keychain’s notes section).
- made notes in Keychain for the alias name I used on each site, what if any phone number, address, or birthday (real or bogus) is there.
- made a note of what credit card any site uses for recurring charges (as a general practice I never store card details except for recurring charges.)
- made a note in Keychain of 2FA status, so I can search it for biennial upgrade review, For example: 1FA, 2au (Keychain authenticator), 2ap (app based) 2sm, 3FA (available but not used bc not available where I live).

Now:
- I have a searchable overview of all logging authentication info and type, as well as any other security related info and biographical info.
- if I get spam via a unique iCloud email address, I know exactly where the site problem is and can go there and only there and quickly change e/m address, p/w, reset TOTP and RK or OTCs (as opposed to doing nothing because I’m not going to change anything on one let alone all 350 of my authentication records if I don’t know which site breached.)
- I can periodically review 2te or 1FA accounts for upgrade possibilities to 2au.
- I can soon abandon my old utility email addresses which have become spam receivers due to so many breaches over the years (I will keep these for a year, and monitor for any mail from any site I may have missed or which may have not implemented its new iCloud address properly; there were a couple that justified this after the fact.)

Of course it takes time to do all this but it compartmentalizes everything, and makes maintenance and breach repair supremely uniform and easy.

Take your time and peck away at it. It maybe took me a month or so to get thru all this. It may take you longer if you have not done any of these elements before. (Did on my iPhone while watching something Picture in Picture in corner.)

But in the end you will have peace of mind knowing you have the best possible security setup before a problem happens and a single cleanup to do should any breach become known to you (via spam, news, or contact from site.)
Click to expand...
I never use any Apple service that needs the buggy icloud service this includes keychain. While keychain functionality has improved in recent releases it is not multiOS, requires wallet to store a subset of financial data (which doesn’t support CVS autofill), has issues with when you have multiple logins for one site and doesn’t support when websites use non-standard login/password (try to autologin to American airlines with keychain). I rather use a third party password mgmt solution.

Not every site needs two factor. In my mind, only financial, government, email and sites having my credit card need two factor. The rest of the logins don’t matter to me if breached.
 
  • Like
Reactions: dk001 and nrose101
ApplesAreSweet&Sour said:
The media wouldn’t phrase it so negatively if Twitter was implementing another more secure 2FA method that’s free for all users, Blue or not, and blocking all usage of the old SMS-based 2FA.

That could have been a good move to ensure less bots and identity theft, kinda like a “security update” for all accounts.

But Twitter didn’t stop supporting the old and less safe SMS 2FA for Blue so that can’t be the headline.

They’re just taking it away from non-paying users, forcing them to go Blue if they want the outdated 2FA method back.

Taking away basic features and making them premium perks for a monthly subscription fee -It’s standard practice for businesses in 2023.
Click to expand...

The phrasing all around is confusing. It makes sense why they are doing it, kind of, but it wasn’t well explained. Twitter kind of encouraged the bad headlines. They should just remove phone number based two factor entirely. There are so many free ways to do it properly, it makes more sense than a phone number no matter how you look at it. Twitter wanted to save money on sms 2fa scams, just get rid of the sms service entirely.
 
The article calls it weird, and I might agree to an extent. The more secure option for a legitimate individual would be to eliminate SMS-based 2FA altogether. But bad actors don't just steal peoples' accounts. They have infrastructure to create fake accounts, and that infrastructure includes access to batches of cell phone numbers that are abused for falsifying their legitimacy. In this case, if the bad actors want to continue using that infrastructure, they'll have to pay for the privilege. And once they're paying for it, the financial system is another mechanism that can be used to identify them and shut them down. It's a zero-sum game though, as the bad actors will resort to other means. But in the near term, if Twitter chooses to leverage this new pathway to identity validation, it's a good move.
 
  • Like
Reactions: dk001
McKodiak said:
I set up Keychain 2FA. How do I get the code to pop up if I am logging in a web browser on my PC? Do I really need to open up the passwords area in settings to get the code? Will it not pop up like apple id verification codes?
Click to expand...
There is an iCloud extension for chrome and Firefox you can use...

Set up iCloud Passwords on your Windows computer

Set up iCloud Passwords in iCloud for Windows so you can manage and autofill your passwords on your PC.
support.apple.com
 
no_idea said:
Lol…ppl are so spoiled these days. The sense of entitlement on a free service is hilarious. “How dare u on this free service I’ve been using for decades try to charge me for a premium security feature that you (the corp) have to pay some other company to enable 2FA infrastructure on!”
Click to expand...
Um users are the product. Hence why free.
 
With one prob: I have Twitter on iPad and iPhone, used MS Authenticator. Authenticated on iPad, iPad version now recognizes. Twitter auto-authenticated the iPhone version, but iPhone MS Authenticator doesn't see Twitter account. So, I'll *have* to authenticate with iPad version. Wish MS would sync accounts! If I'd known, would've done with iPhone (more likely to be with me ;). (I use different app on Mac). Sympathize w/ those who dump Twitter (have now gone to Mastodon too), but been on so long, some relationships are largely through it. Resisting letting a prima donna ruin my day, hoping they'll shift back. Not posting there anymore, but still reading. BTW, pick 'following' not 'for you' ;).
 
Robert.Walter said:
Hassle? Maybe it’s different outside the apple ecosystem but the venn circle for hassle doesn’t intersect anything in my iOS Keychain TOTP experience.

If I was a hacker this is exactly what I would write in a forum such as this hoping it might gain traction generally.
Click to expand...
Thanks - that is really descriptive and definitely sounds very secure. I currently use Apple password system, but always go back and forth if I should use 1Password instead.
 
lagreca said:
Let's face it, if you are still using SMS for 2FA, you have bigger problems...
Click to expand...

2FA over SMS never been secure. I don't what's the fuss about people complaining that Twitter doesn't wanna harvest phones numbers like Google does. 2FA via OTP is the way.

www.securityweek.com

6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication

The debate about the deprecation of SMS as an authentication system is less about the agreed-upon insecurity of SMS and more about what can replace it.
www.securityweek.com www.securityweek.com
 
  • Like
Reactions: TheYayAreaLiving 🎗️
Musk explained this multiple times. I has nothing to do with extracting revenue. It has everything to do with SPAM. SPAMers repeatedly requests text verification from Twitter servers and it cost Twitter millions of dollar a month to service these SPAM requests. Limiting it to Blue members makes most of these request real user requests and not SPAM. Auth apps is free and is better anyways. While strong password > any 2FA. So stop the propaganda.

https://twitter.com/x/status/1626996774820024321
 
Rogifan said:
Since they’re getting rid of SMS 2FA for non-paid accounts why didn’t they just get rid of it all together? Treating a less secure authentication method as a paid perk is weird.
Click to expand...
It's about fake phone auth requests. Some from telco operators trying to make money from Twitter.
 
Well, this is splendid. Twitter tells me to enter the confirmation code from the authentication app. Passwords in iOS settings tells me to enter a setup key from Twitter. Oh well.
 
  • Sad
Reactions: MaverickCC
I bet they remove two factor once they start charging for this extra security in Twitter Blue.

I knew when Elon took over, they would get rid of third party apps and they did. They'll get rid of this too.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back