With all of Twitter’s ever-growing technical problems, I’d missed an elephant in the room-sized disaster. Fortunately, a friend reminded me that many people use Twitter’s log-in as their login for other websites. Eep! You need to stop doing that right now.
Why? Because part of Twitter’s log-in system is already broken. Twitter’s text two-factor authentication (2FA) started breaking on Monday, Nov. 14. This came after Twitter CEO Elon Musk announced that Twitter would be “turning off the ‘microservices’ bloatware.”
Musk may be great at launching rockets, but that may not translate to accuracy in identifying microservices bloatware. One or more of those services was essential to 2FA (two-factor authentication) using text messages. Text, aka SMS, 2FA is the most commonly used form of 2FA. The result of this removal is that if you had 2FA set to protect your account from hackers, you can no longer use it to change your password or log back in if you thumb-finger your password.
Ian Coldwater, Kubernetes Security co-chair and Twilio architect, who knows a thing or two about security and microservices, tweeted, “The microservice that delivers SMS-based 2FA codes is broken. There are also reports of backup codes being broken. If you have SMS 2FA, don’t log out.”
Coldwater recommended staying logged in and changing your 2FA method from text message to email or an authenticator app or a physical security key (such as a YubiKey).
So much for Twitter. But, what’s potentially even worse is if you use Twitter for single-sign-on (SSO) on other sites, you could also be blocked from them. As Coldwater tweeted, “If you have any apps or sites you log in to connected to your Twitter account via OAuth, I STRONGLY recommend changing that right now while you still can.”
To change your Twitter 2FA, go to Settings & Support > Settings & Privacy > Security & Account Access > Security > Two-factor authentication.
If text has been chosen for your 2FA method, switch from that to either an authenticator app or a security key. Just follow the instructions, and you should be fine… for now.
Also: Mastodon isn’t Twitter but it’s glorious
Another thing to keep in mind: You often see SSOs as an invitation on sites as an easy way to log in without creating yet another password. Instead, you just use your Google, Microsoft, Facebook, Apple, or Twitter login name and password instead.
That’s fine. If you trust the major site to stay stable and protect your data. But in the current circumstances, Twitter isn’t trustworthy in that sense.
You should immediately go to those sites where you use Twitter to log in and replace it with something — anything — else. To find out which sites you’re using Twitter as your SSO for, go to the Twitter app or website and check Settings & Support > Settings & Privacy > Security & Account Access > Apps & sessions.
Once there, check Connected Apps for applications that have read-write permissions to Twitter or vice versa. Then, check Account access history for sites that have used Twitter for logins recently.
Armed with this information, go to the sites and services you’ve found and switch to another, more stable login and password. The way things are going, it’s only a matter of time before there’s another Twitter tech crackup, and you don’t want to be locked out of other sites when — not if — Twitter fails.