After two weeks Due to the extreme chaos on Twitter, users are joining and leaving the site in droves. More quietly, many are likely to review their accounts, check their security settings, and download their data. But some users report problems when trying to generate two-factor authentication codes via SMS: either the texts don’t arrive or they’re delayed by hours.
Troubled two-factor SMS codes mean users can be locked out of their accounts and lose control of them. They may also find themselves unable to make changes to their security settings or download their data using Twitter access function. The situation also gives an early hint that problems within Twitter’s infrastructure are bubbling to the surface.
Not all users have problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting problems on Twitter since the weekend, and WIRED confirmed that on at least some accounts, verification texts are being delayed by hours or not arriving at all. The merger comes less than two weeks after Twitter laid off about half of its workforce, roughly 3,700 people. Since then, engineers, operations specialists, IT staff and security teams have been stretched to try to adapt Twitter’s offerings and build new features according to new owner Elon Musk’s agenda.
Reports indicate that the company may have laid off too many employees too soon and that it has been trying to hire some workers. Meanwhile, Musk has said publicly that he is directing staff to disable parts of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he posted on Twitter this morning. “Less than 20 percent is actually needed for Twitter to work!”
Twitter’s communications department, which is said to be defunct, did not return WIRED’s request for comment about problems with SMS two-factor authentication codes. Musk did not answer one I tweet seeking comment.
“Temporarily suspending multi-factor authentication could have the effect of locking people out of their accounts. But the even more worrisome concern is that it will encourage users to simply turn off multi-factor authentication, which makes them less secure,” says Kenneth White, co-director of the Open Crypto Audit Project and a security engineer for a long time. “It’s hard to say exactly what caused the problem that so many people are reporting, but it certainly could result from the large-scale changes in Internet services that have been announced.”
SMS texts aren’t the most secure way to receive authentication codes, but many people rely on the mechanism, and security researchers agree it’s better than nothing. As a result, even intermittent or sporadic outages are problematic for users and can put them at risk.
Twitter’s SMS authentication code sending system has had consistent stability issues over the years. In August 2020, for example, Twitter Support posted on Twitter, “We are considering not having account verification codes delivered via SMS text or phone call. We apologize for the inconvenience and we will keep you updated as we continue our work to fix this.” Three days later, the company added, “We have more work to do with fixing the verification code delivery, but we’re making progress. We apologize for the disappointment this has caused and appreciate your patience as we continue to work on this. We hope to fix it soon for those of you who are not getting a code.”
