After two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. Quietly, many are likely reviewing their accounts, checking their security settings, and downloading their data. But some users report problems when trying to generate two-factor authentication codes via SMS: either the SMS does not arrive or it is delayed for several hours.
The glitchy SMS two-factor codes mean that users could get kicked out of their accounts and lose control of them. They might also find themselves unable to change their security settings or download their data using Twitter. access functionality. The situation also provides a first hint that problems within Twitter’s infrastructure are coming to the surface.
Not all users have problems receiving SMS passcodes, and those who rely on an authenticator app or physical token to secure their Twitter account may not have reason to test the mechanism. But users have been reporting issues themselves on Twitter since the weekend, and WIRED has confirmed that on at least some accounts, authentication texts are delayed for hours or don’t come at all. The collapse comes less than two weeks after Twitter laid off about half of its workers, about 3,700 people. Since then, engineers, operations specialists, IT staff and security teams have been strained trying to adapt Twitter’s offerings and build new features on new owner Elon Musk’s schedule.
Reports indicate that the company may have terminated too many employees too quickly and attempted to rehire some workers. Meanwhile, Musk has publicly stated that he is ordering staff to disable parts of the platform. “Part of the day will be disabling ‘microservices’ bloatware,” he said. tweeted this morning. “Less than 20% is actually needed for Twitter to work!”
Twitter’s communications department, which apparently no longer exists, did not return WIRED’s request for comment on issues with SMS two-factor authentication codes. Musk did not respond to a Tweeter request for comment.
“A temporary outage of multi-factor authentication could have the effect of locking users out of their accounts. But the even more worrying concern is that it will encourage users to disable multi-factor authentication altogether, making them less secure,” says Kenneth White, co-director of the Open Crypto Audit Project and long-time security engineer, “It’s hard to say exactly what caused the problem reported by so many people, but it could certainly be the result of large-scale changes to the web services that have been announced.”
Text messages are not the safest way to receive passcodes, but many people rely on this mechanism, and security researchers agree that it’s better than nothing. Therefore, even intermittent or sporadic outages are problematic for users and could put them at risk.
Twitter’s SMS passcode delivery system has repeatedly encountered stability issues over the years. In August 2020, for example, Twitter Support tweeted“We are investigating account verification codes that are not being delivered via text or phone call. Sorry for the inconvenience, and we will keep you updated as we continue our work to resolve this issue.” Three days later, the company added“We still have work to do to fix the delivery of the verification code, but we are making progress. We are sorry for the frustration this has caused and appreciate your patience as we continue to work on it. We hope this will be soon fixed for those of you who don’t get a code.”