Kölsch, Kompjuter & Kicken - darum geht's - unter anderem - in diesem Blog. Statt buntem Schnickschnack gibt's Information und Meinung - nämlich meine. Muss nicht immer gefallen.

Twitter and 2-Factor-Authorization - who's to blame?


When I'm talking about 2FA here, I'm talking about an app-based 2FA, such as Google Authenticator, Microsoft Authenticator, Authy or similar. I am not referring to SMS-Token *sic* or Yubikeys.

I guess most of you guys have heard about German politicians and celebrities being doxed starting December 2018. It seemed that the attack-vector for the hacker were private accounts, not properly secured (i.e. missing 2FA, weak passwords etc.). It was even claimed by people that 2FA in Twitter had a flaw which, in my humble opinion, is, well, bullshit. Twitter can do better in terms of security, however, I see things a bit different and wouldn't call it a security flaw.

What you need to know:

Twitter can remove 2FA-security from your account if you ask them to do so and prove that you are the legitimate account holder. Well, it's not really a big hurdle to "proof" that you are the legitimate account-holder as long as you have access to the email-account linked to the Twitter-account. However, you still need the password for Twitter: No password, no Twitter - nothing, nada, niente.

How come I know about the procedure? Long story short, I had to get my 2FA security removed from Twitter to get back access to one of my Twitter accounts.

"Holy shit, I fucked up BIG TIME!"

Well, it happened that the battery of my iPhone fucked up, so I had to get it replaced by Apple (thanks to being smart & having purchased a Care Protection Plan). So I made a backup, sent in the phone, got a new one and re-installed the backup. What I wasn't aware of was, that the keys / data of Google Authenticator (my 2FA app) didn't get backed up - seems like this by design *sic*.

I won't bother you how I got access back to my Linux box, NAS, Google etc. (thank God for backup-codes), however, I must have misplaced the backup-codes of my Twitter account. 
Now what to do? Proper procedure would have been to setup the new phone, re-create 2FA in Google Authenticator on the new iPhone while still in possession of the old iPhone so that I could access my accounts. Well, I fucked up and now had to solve a few problems.

However, this post is about how I got access back to Twitter, and this is how it worked:

After realising that I still had my Twitter-password for what it was worth without having my second factor, I went to Twitter's support-page and explained my problem. After answering the usual questions, I received an email (on the very account which was linked to Twitter and which I still could access). A case-id was provided by Twitter support for further reference. Again, I explained my problem, told them that I tried out everything already mentioned on the support-page, after which I received this mail:

So I did what Twitter asked me for, logged in with my password (couldn't provide the 2FA-code though) and wrote back to Twitter::

To my surprise, Twitter wrote back immediately, and I was all set:

I went back to Twitter (my 2FA now disabled), logged on with my password, setup 2FA again and that was it. 

"But Twitter can't simply remove 2FA - that's a security-risk, oh my God!"

Well, I understand if that's your point of view. However, I do see it slightly differently:

First, Twitter doesn't contain any secrets I need to protect from prying eyes. My posts are public, I even wouldn't bother if my DMs went public. However, I want my account protected from being pwned. So in my case, I was more than happy that Twitter offered a solution so I could get back in. Things are different with email and other, more sensitive stuff, but everything put on a Social Media platform is public anyways - get used to it (I'm quite aware of people protecting their Tweets which I somehow find ridiculous). As such, I can understand Twitter's Modus Operandi here and fully appreciate it.

Besides, you still need to know your old password (I truly hope it's a strong one) and you need access to the email-account linked to Twitter (which hopefully is protected by a strong password and 2FA). Under those preconditions, I don't have any problem with Twitter helping users getting their account back in case they lost their 2nd factor. I do, on the other hand, understand people who are a bit more security aware, but hey, that's Twitter and not a high security vault. If people use weak passwords and don't protect their mail-accounts with 2FA, my sympathy here is very limited.

Lessons learned

  • When using 2FA, never ever misplace your backup-codes
  • When replacing your phone, setup up 2FA on your new phone first (use your old one to access your accounts) and only after you're all set, get rid of / sell / dump your old phone
  • Your email-account is the path to most if not all of your other accounts in case you need to reset passwords: Use STRONG passwords and always 2FA - once you loose access to your mail account, it's Game Over
  • 2FA via Authenticator-App is quite secure, but it's not bullet proof. If a phisher is targeting you and puts in some effort, setting up a reverse proxy for a phishing site is no Rocket Science. Meanwhile, there are even automated sitebuilders available - so always check the URL when entering your password / 2FA.