New owner Elon Musk lets “superfluous” microservices shut down. As a result, SMS-based two-factor authentication no longer works.
The measures initiated by Twitter’s new owner Elon Musk to reorganize the company have apparently resulted in Twitter’s supported two-factor authentication (2FA) working in a limited way. According to Ian Coldwater, security chair of the Kubernetes SIG, the microservice required for SMS-based authentication was shut down at Musk’s behest.
On Nov. 14, Musk had announced via tweet that Twitter would disable “redundant” microservices. “Less than 20 percent are actually needed to run Twitter”. Coldwater commented by warning all users who have SMS set as 2FA for their Twitter account, “The microservice that provides SMS-based 2FA codes is broken. There are also reports of broken backup codes. If you have SMS 2FA, do not log out.
Affected users should use the Twitter app or Twitter’s website to turn off SMS-based authentication and instead secure their account using a security hardware key or Authenticator app. This option can be found in the menu under Settings and Support, Settings and Privacy, Security and Account Access, Security. There, you can also activate several methods for the two-step login.
Users should also take the unannounced and probably also unintended discontinuation of microservices for SMS-based 2FA as an opportunity to check whether they log in to other services with their Twitter account. If you lose access to your Twitter account due to technical problems at Twitter, you will also lose access to the accounts you log in to via Twitter.
In the Security and Account Access settings, Twitter also offers the option to view connected accounts. “These are the social media accounts that are linked to a Twitter account for sign-in,” Twitter describes the feature. However, before unlinking, you should choose a different login method in the settings of the account in question.