Twitter users experience apparent SMS 2FA disruption

Twitter's mobile SMS two-factor authentication was apparently unavailable as users reported they were not receiving confirmation codes.

Twitter's 2FA issues began Monday following a tweet from Twitter CEO Elon Musk, who on Oct. 27 completed his $44 billion acquisition of the social media giant. Musk's tweet said Twitter will be eliminating microservices "bloatware," claiming that less than 20% were needed for Twitter to operate.

A wave of user complaints came in the following hours, claiming that mobile 2FA wasn't working. TechTarget Editorial created a fresh Twitter account with mobile authentication on Tuesday morning and never received a text. Shortly after, we submitted a request to download the Twitter archive of a preexisting account, and 2FA verification was successful.

Neither Musk nor Twitter has confirmed that SMS 2FA service experienced any disruptions. Moreover, Twitter has not responded to TechTarget Editorial's request for comment at press time.

Kubernetes SIG Security co-chair and Twilio architect Ian Coldwater wrote in a Monday tweet that the service was currently broken and that backup codes might also be broken.

"If you have SMS 2FA, don't log out. If you're still logged in, change your 2FA to email, authenticator app, or a physical security key," they wrote.

Twitter engineer Sheon Han predicted on Monday that Twitter will experience a major outage "in the next few days" if Musk follows through with his plan to turn off 80% of the platform's microservices.

Part of today will be turning off the "microservices" bloatware. Less than 20% are actually needed for Twitter to work!

— Elon Musk (@elonmusk) November 14, 2022

Musk's acquisition of Twitter has faced heavy controversy since its completion. In early November, Musk laid off approximately 3,700 Twitter employees -- roughly half of the company's staff. On Nov. 10, former CISO Lea Kissner announced via a tweet that they were leaving the company, along with Twitter's chief privacy officer and chief compliance officer. It is unknown if a new CISO has taken Kissner's place.

In addition, Twitter's new security woes come mere months after the social media company was rocked by a whistleblower report from Peiter "Mudge" Zatko, who previously served as Twitter's security head. In his report, Zatko claimed many Twitter employees had access to sensitive user data repositories and accused the company of not properly tracking or deleting user data.

The Federal Trade Commission (FTC) also fined Twitter $150 million earlier this year for violating an order against deceptively using personal information. The company had previously admitted to misusing information including mobile phone numbers provided by users for 2FA.

"We are tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees," an FTC spokesperson said in a statement to TechTarget Editorial. "Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them."

Alexander Culafi is a writer, journalist and podcaster based in Boston.