Twitter’s SMS Two-Factor Authentication Is Melting Down

Nov 14, 2022 8:08 PM

Twitter’s SMS Two-Factor Authentication Is Melting Down

Problems with the important security feature may be some of the first signs that Elon Musk’s social network is fraying at the edges.

High angle view of numbers made from wood cutouts on purple background.

Photograph: Javier Zayas Photography/Getty Images

Following two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don't come or they're delayed by hours.

The glitchy SMS two-factor codes mean that users could get locked out of their accounts and lose control of them. They could also find themselves unable to make changes to their security settings or download their data using Twitter's access feature. The situation also provides an early hint that troubles within Twitter's infrastructure are bubbling to the surface.


This content can also be viewed on the site it originates from.

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twiter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter's offerings and build new features per new owner Elon Musk's agenda.

Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Meanwhile, Musk has said publicly that he is directing staff to disable some portions of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he tweeted this morning. “Less than 20 percent are actually needed for Twitter to work!”

Twitter’s communications department, which reportedly no longer exists, did not return WIRED's request for comment about problems with SMS two-factor authentication codes. Musk did not reply to a tweet requesting comment.

“Temporary outage of multifactor authentication could have the effect of locking people out of their accounts. But the even more concerning worry is that it will encourage users to just disable multifactor authentication altogether, which makes them less safe,” says Kenneth White, codirector of the Open Crypto Audit Project and a longtime security engineer. “It's hard to say exactly what caused the issue that so many people are reporting, but it certainly could result from large-scale changes to the web services that have been announced."


This content can also be viewed on the site it originates from.

SMS texts are not the most secure way to receive authentication codes, but many people rely on the mechanism, and security researchers agree that it's better than nothing. As a result, even intermittent or sporadic outages are problematic for users and could put them at risk.

Twitter’s SMS authentication code delivery system has repeatedly had stability issues over the years. In August 2020, for example, Twitter Support tweeted, “We’re looking into account verification codes not being delivered via SMS text or phone call. Sorry for the inconvenience, and we’ll keep you updated as we continue our work to fix this.” Three days later, the company added, “We have more work to do with fixing verification code delivery, but we're making progress. We're sorry for the frustration this has caused and appreciate your patience while we keep working on this. We hope to have it sorted soon for those of you who aren't receiving a code.”

Most Popular

That the issue seems to be recurring now indicates, perhaps, that systems Twitter has long struggled to maintain are among the first to destabilize without adequate maintenance and support. Current and former employees have painted a picture of Twitter as having convoluted and brittle technical infrastructure. Meanwhile, Musk's revisions to Twitter's “blue check” account-authentication policies have led to rampant scams on the site and even more extensive content moderation issues than existed under previous leadership.

If you haven’t already, switch to an app for generating your multifactor authentication codes, such as Google Authenticator. On Twitter go to“Settings and Support,” tap “Settings and privacy,” then “Security and account access,”“Security,” and then “Two-factor authentication.” Disable “Text message” if you have it in and instead toggle “Authentication app” and follow the instructions for adding Twitter to your authentication app. Or if you prefer to use a physical authentication token, turn on “Security key.”

For users who can't receive their SMS two-factor codes, though, questions about whether Twitter is in decline or what could be coming next are moot—the site already feels broken.

“It’s hugely problematic to require 2FA for something and not be able to fulfill it for authentication, whether it’s SMS or anything else,” says Jim Fenton, an independent identity privacy and security consultant. “It’s problematic, because it’s denying service to Twitter users.”

More Great WIRED Stories

Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University. Additionally… Read more
Senior Writer

More from WIRED

Here’s How Bad a Twitter Mega-Breach Would Be

Elon Musk laid off half the staff, and mass resignations seem likely. If nobody’s there to protect the fort, what’s the worst that could happen?

Lily Hay Newman

Elon Musk’s Twitter Is a Scammer’s Paradise

Anyone can get a blue tick on Twitter without proving who they are. And it’s already causing a ton of problems.

Matt Burgess

If Musk Starts Firing Twitter's Security Team, Run

What's next for the social network is anyone's guess—but here's what to watch as you wade through the privacy and security morass.

Lily Hay Newman

A Bug in Apple MacOS Ventura Breaks Third-Party Security Tools

Your anti-malware software may not work if you upgraded to the new operating system. But Apple says a fix is on the way.

Lily Hay Newman

You Need a Password Manager. Here Are the Best Ones

Keep your logins locked down with our favorite apps for PC, Mac, Android, iPhone, and web browsers.

Scott Gilbertson

Twitter’s Ex-Election Chief Is Worried About the US Midterms

Edward Perez says that “manufactured chaos” by bad actors will be even riskier thanks to Elon Musk’s own mayhem.

Chris Stokel-Walker

The ‘Viral’ Secure Programming Language That’s Taking Over Tech

Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can’t come soon enough.

Lily Hay Newman

How to Avoid Black Friday Scams Online

'Tis the season for swindlers and hackers. Use these tips to spot frauds and keep your payment info secure.

David Nield

Credit belongs to :

Check Also

A Damning US Report Lays Bare Amazon’s Worker Injury Crisis

Photograph: Rich Pedroncelli/AP Anna Kramer Business Jan 18, 2023 7:49 PM A Damning US Report …