In this edition of Rob’s Corner of the MIRACL Memo, Rob discusses Twitter’s announcement that only verified users, who pay for their accounts, will have access to SMS OTPs as their multi-factor authentication option. Rob takes a deep dive into the maths of SMS as an MFA solution, and well…it just doesn’t add up. Watch to learn more about why SMS is not as affordable as it seems, is highly vulnerable to attacks and is simply the nemesis of MIRACL. MIRACL offers highly secure and super simple single-step MFA. Authenticate your users in seconds whilst increasing security as MIRACL Trust is resilient to most known cyberattacks.
Subscribe to get the MIRACL Memo in your inbox, or Subscribe to the MIRACL Memo on LinkedIn.
Transcription:
Over the last few days, Twitter has brought SMS 2 Factor Authentication into the headlines. They’re now insisting that only subscribing ‘Blue tag’ users are able to use it to log into their accounts.
Other users will have to use a downloaded authenticator app.
What’s the reason for this SMS clampdown? Musk says SMS bills were costing Twitter $60m a year, not counting traffic in North America. Twitter established that 390 non-US telecom operators had a failed login rate in their total traffic of over 10%. In other words, SMS messages were being charged when no log in occurred.
Musk claims that this was due to dishonest telecom operators using bots to game the system.
So, what are the numbers?
Well, Twitter has roughly 400m users. 320m are outside the US. We know that 2.6% of users use 2FA, of which 75% opt for SMS. So, if roughly 2% of the 320m users opted to use SMS2FA, 1.6m users were resulting in $60m of SMS charges. That works out at $37 per user per year!!
Assuming a cost of 2 cents per SMS, this means 1.6m users were sent 3 billion SMS messages!!
For MIRACL, SMS 2FA is our NEMESIS. It provides a terrible user experience. We’ve seen login success rates as low as 60%, so Twitter considers 10% login failure acceptable.
There are lots of reasons for this - the messages are often delayed, or a user may not have reception. SMS2FA is also not at all secure because it can be phished and is vulnerable to SIM-swap fraud.
Finally, messages often cost over 3 pence in the UK and more internationally, so we knew they can be costly. However, never did we imagine that SMS could be costing $37 per user per year!
If you’re an operator using SMS2FA, watch out. You could be getting scammed right now.
Thanks for watching.