Twitter has followed through with its half-baked plan to turn off two-factor authentication for (millions of?) non-paying users, leaving them half-naked to the vast criminal underground. If that’s you, you’re looking at not-very-good choices right now, but doing nothing might be the worst of all. I’m seeing reports of people getting hacked almost immediately, which you would expect, given the long lead time criminals have had to prepare for this day when many accounts would suddenly be one password away from compromise.
The only practical answer for most people who wish to continue to use Twitter without paying for SMS security is to enable a free token generator tool like Google Authenticator. I recommend you do that, too, rather than remain out there half-naked. Twitter has haphazardly implemented this massive security change in the most unprofessional and ineffective way, putting all the onus on users — messages this week even tell users “you’ve turned off two-factor authentication,” which is quite an abuse of the English language. It would be understandable, even responsible, for these users to rush into installation of an authenticator. But take please heed of the advice I’m about to give or else, I promise, sometime in the next 10-500 days you’re going to have a Hellish time recovering from loss of access to your account.
In short, if you lose your phone, or it’s damaged, or you lose access to that authentication code for any reason, you may very well lose your Twitter account forever. The only thing standing between you and that very frustrating day would be a massive increase in Twitter customer service spending, and I can just about promise you, that’s not happening.
Many authentication tools have a big implementation flaw: they don’t have a user-friendly failover plan. This is because tokens have a damned-if-you-do-and-damned-if-you-don’t quality. Google Authenticator does NOT allow you to create backups. Why? Backups could be accessed by hackers, rendering the entire security protocol insecure.
You’ve seen, and used, the “forgot your password?” link many times. It’s a way of dealing with perhaps the most common roadblock on the Internet — users are told not to re-use passwords, so they forget all these newfangled passwords they use. They’re told to use password managers (a good idea!) but then they lose access to that manager or something else goes wrong. No worries: ‘Forgot your password’ usually fixes things quickly. But it’s also the weakest link in many security implementations (Here’s my 15-year-old story about that!). Criminals with just an email address can request a password reset using ‘forgot your password,’ so it creates quite a dilemma for tech companies — how do you service forgetful users without making things easy for criminals?
Authenticator implementations go a new route, effectively eliminating the customer service part of this risk equation.
If you can’t access Google Authenticator…you can’t log in. You can’t write to the app or website and ask for a new authentication code the way you use “forgot your password.” You are…just stuck. If your phone is stolen, you can’t generate the code you need to log in. Period. As I described in my story about recovering Rusty’s Instagram account, you may very well be in for months of frustration trying to recover your account some other way. Some other way, like this “prison photo” I had to take of myself.
Unless you’ve prepared ahead of time. Many sites which use authenticators create their own backup systems — often, one-time codes that the app generates which can be used as a kind of get-out-of-jail-free card. Twitter, at the moment, lets you generate one such code. To find it, for now, go to “Security and Account Access” then “Security” then “Two Factor Authentication” then “Backup Codes.” Then — and this is CRITICAL — take a screenshot of that code or write it down and put it someplace you’ll remember for the inevitable day that you’ll need it.
WARNING: YOU CANNOT GENERATE THIS CODE AFTER YOU’VE LOST ACCESS TO YOUR ACCOUNT!! You MUST take this step RIGHT NOW, as soon as you implement an authenticator app.
As you re-read that section of this story, I’m sure you’ll see this as I do. There’s about a zillion ways human beings can get this step wrong, and will get this wrong. I predict Twitter will relatively soon be overwhelmed with account recovery requests that it cannot handle. That’s precisely what happened to Instagram/Facebook with authenticator tools. Desperate Instagram users write to me every day trying to regain access to their accounts. I predict this is going to be a far bigger issue for Twitter than account hacking.
For what it’s worth, in Instagram’s case, I believed I *had* copied the backup codes (three years prior) when I turned on 2FA after a hacking attempt from Russia; the codes I had didn’t work. So I think it’s quite possible consumers who don’t create backup codes, or don’t copy them down, or can’t find them the day they need them, aren’t the only potential pitfall of this system.
Meanwhile, if you are thinking, “I’m supposed to write down a secret code on a post-it note and leave it where I can find it as a login procedure? Isn’t that what they told me NOT to do 30 years ago?” you aren’t alone.
To be sure, there are *better* ways to implement an authenticator-based two-factor system. After my phone was stolen, Substack had me fill out a form and I engaged with a customer service representative over email who verified my identity manually. That worked just fine within a day or so. Twitter could, in theory, do this. It won’t. It will be too expensive. Far more expensive than the cost of those pesky SMS text messages that Elon just turned off out of spite and desperate penny-pinching.
Were the implementation responsible and well-planned, I would cheer for the end of SMS-based authentication. It’s not particularly safe, though it is far, far safer than password alone. Switching to a “something you have” model is truly a good long-term goal. But turning off two-factor en masse is crazy, as is hurtling a bunch of unprepared people into token-based authentication world.
BOTTOM LINE: If your two-factor authentication setup has been turned off by Twitter, take 10 minutes to turn it on now, but DON’T sprint past the backup method. I wish I could give you universal instructions to do this. I can’t, really. Everyone’s setup and needs are different. Just ask yourself: What would I do if I lost my phone? For a little more help, here’s a good CNET story about the right way to turn on authenticator on an up-to-date iPhone.
Also, there are alternatives to backup-limited tools like Google Authenticator. Microsoft Authenticator backs up accounts in the cloud — i.e., if you lose access to your phone, you can re-download the authentication generator. I have not used it so I cannot recommend it. Twitter also recommends Authy, Duo Mobile, and 1Password; each of them have their own backup options and quirks. I’ve linked to their backup explainer pages. But whatever you do, don’t just add an authentication app today and move on. You’ll regret it.
Dealing with Twitter's big 2FA downgrade today? Don't make this HUGE mistake
Crypto recovery//How to get bitcoin back from scammer//Bitcoin recovery expert//USDT//BITCOIN:
My name is Doug Lloyd. Myself and my wife Victoria were ambitious entrepreneurs and had recently developed a keen interest in the world of cryptocurrencies. Excited by the potential for financial growth, We decided to invest a substantial amount of money into various digital assets. However, in our eagerness to reap the rewards, we unwittingly stumbled into the treacherous path of a cunning crypto scam. A group of sophisticated fraudsters managed to exploit our trust, and we found ourself at a loss of $177,000. Devastated and disheartened,i felt betrayed by the very technology i had put my faith in. It’s just horrible. You can’t even sleep at night. I’ve been having a hard time sleeping for the last couple of months now, \"It’s just not fair that we worked for all of our lives. I worked for almost 40 years in the government and now all of our money is going to pay the interest on this line of credit that somebody else took.\"We filed a police report but we were not overly hopeful, because we were told. As law enforcement, we\’re able to trace it if it’s within a short window because it’s virtual money so it jumps from wallet, to wallet, to wallet, then I reached out to CTV News Toronto to share my story to prevent others from being scammed. “If I can get conned, then a lot of other people can get conned, and they have my entire retirement savings, unfortunate ordeal reached the ears of Trustwizards Hackworld, who were always on the lookout for individuals and businesses in need of their unique expertise. They uncovered a web of interconnected accounts and concealed identities and within a short time my funds were recovered back to my wallet with extra, painstakingly unraveling the complex network piece by piece. Trustwizards Hackworld, Inspired by their noble cause, now I am an advocate for cybersecurity awareness and joined forces with the Trustwizards, spreading knowledge and educating others about the perils of cyber scams.WhatsApp: +1 (386)-387 7054,Email-trustwizardshackworld (@) G\’mail Telegram: @trustwizards_hackworld