Per @racheltobac: 75% of Twitter 2FA users are using SMS-based authentication. In theory those users could switch to authenticator apps (or pay 😂) but they probably won’t.
Conversation
Notices
-
Matthew Green (matthew_d_green@ioc.exchange)'s status on Sunday, 19-Feb-2023 03:03:07 JST 
Matthew Green
-
Matthew Green (matthew_d_green@ioc.exchange)'s status on Sunday, 19-Feb-2023 03:03:05 JST
Matthew Green
The cognitive overhead of installing an authenticator app (and then worrying about what happens when you lose your phone) is absolutely ridiculous. The overall experience is just stunningly bad, given that it’s one of the best defenses we have.
alcinnz repeated this. -
Matthew Green (matthew_d_green@ioc.exchange)'s status on Sunday, 19-Feb-2023 03:03:05 JST
Matthew Green
Free one-time code authenticators *should* be built into every phone. They *should* be enabled on the default keyboard. They *should* be securely backed up to an end-to-end encrypted account. If Google/Apple did this, adoption would be high.
-
Matthew Green (matthew_d_green@ioc.exchange)'s status on Sunday, 19-Feb-2023 03:03:06 JST
Matthew Green
Smart people keep saying things like “but authenticator apps will still be free and those won’t require you to pay, plus they’re more secure.” That’s true! But also completely misunderstands what’s about to happen.
-
Matthew Green (matthew_d_green@ioc.exchange)'s status on Sunday, 19-Feb-2023 03:03:06 JST
Matthew Green
What sets SMS 2FA apart is that it’s almost “free” from a user-effort perspective. If you own a phone, the feature is already built-in and enabled. Setup is nearly effortless. Backup is taken care of. Unfortunately none of the same things are true for HOTP/authenticator apps.
-
All 076萌SNS content and data are available under the