I’ve long been an advocate for computer users to embrace two-factor authentication (2FA), a way for users to protect their accounts with something stronger than just a simple username and password.
A simple example of two-factor authentication in action would be to have a website send you an SMS when you attempt to login, containing a randomly generated number as a challenge code.
You then need to enter that number to complete the login and authenticate you are who you say you are (or at least, in possession of that person’s mobile phone which is unlikely to be in the hands of the typical identity fraudster).
So far, so neat.
But what happens when – without warning – your mobile phone company stops sending you the SMS messages? How are you supposed to enter the random number and log into the account if you are never told what the number is?
As Juha Saarinen of the New Zealand Herald describes that’s precisely what’s happening right now for Kiwi Twitter users who rely upon Vodafone for their mobile service.
In fact, Vodafone is no longer supported by Twitter *anywhere* in the world outside of (bizarrely) Turkey.
Sure, you can probably survive without the ability to send and receive your Twitter updates via SMS, but if you signed-up for 2FA to secure your account you’re shafted. Because you can’t even log into Twitter to disable 2FA!
According to reports, those who rely upon Facebook SMS messages are similarly finding themselves up the creek without a paddle.
Saarinen says that a Vodafone New Zealand spokesperson confirmed to him that the SMS texts are no longer being sent from the social networks, because the likes of Twitter and Facebook aren’t paying up:
“To be clear, we are not ‘blocking’ any service: we are simply applying to Twitter and Facebook the same principles that apply to all other customers on all Vodafone networks in requiring payment for the use of services. It’s important to ensure that operators are paid appropriately for the use of the networks they build and manage,” the spokesperson said.
In fairness, you can kind of see Vodafone New Zealand’s point. Why should Facebook and Twitter not have to pay for text messages they send via a phone company’s network? I have to pay when I send an SMS, so by what logic should huge social networking companies be exempt?
All the same, it’s once again users who are left in the lurch – because of the lack of warning from either their phone company or Twitter as to what was about to happen.
Judging by the Vodafone New Zealand message board, customers are less than impressed by the quandary they find themselves in.
Breaking the 2FA is seriously offending.
I have been loyal VF customer from the day i moved to NZ 8 and half years ago. After realizing 2FA with Facebook (or Twitter, FB being the more critical one) no longer works I have NO problems dumping VF; anyone who cares about online security does that without a blink. It wont just all my family’s mobiles, but also broadband.
Has anyone over there calculated how many customers you can lose before this becomes more expensive than allowing the SMS? I doubt it.
No excuses or apologies as these will not be accepted; fix it, or lose customers.
Some prior warning from Vodafone would have been nice, so we could choose to turn it off in the interim.
I haven’t seen reports of Vodafone users being locked out of their Twitter and Facebook accounts in other parts of the world yet, but I wonder if it’s only a matter of time.
One solution, of course, is to not use SMS-based authentication with the likes of Twitter and Facebook if your mobile phone provider isn’t supporting the messages.
Instead, you could use app-based authentication (Twitter calls it Login Verifications, and allows users to verify their identity via their official iOS and Android app) to provide an alternative method of receiving your challenge code.
Facebook also offers two-factor authentication – called Login Approvals – which can be delivered via SMS or as an in-app notification.
But none of that is going to be possible to set up unless you’re able to log into your Twitter account in the first place – and it seems Twitter-using Vodafone customers who took the sensible step of enabling two-factor authentication are currently locked out.
For those unfortunate users, the only options appear to be to plead for your phone provider to temporarily re-enable the service or contact Twitter support directly for assistance.
After all, ultimately this is Twitter and Facebook’s problem. They need to sort it out. And if that means they need to reach into their pocket and pay mobile operators to send SMS messages, so be it.
Make sure to follow me on Twitter at @gcluley. If you can access your account, that is…
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Twitter’s spat with Vodafone leaves 2FA users locked out”
Well hear in the US , we customers pay for the text for 2 factor ,failing that,if you lose your phone,there are back up codes I can use for , Google, Dropbox, and I think one other account. Then there are backup email for account recovery too. Because if you lose your phone,how else do you get the codes? I think if people act as though their account has been taken over,then the account recovery process should help get them a reset. I think I have back up codes for Twitteror facebook,but will have to look.
I'd been using SMS 2FA on Paypal for a while when that stopped working for me a couple of years ago. Paypal was aware of the issue and I understood at the time that it was a technical problem (which might have been a euphemism for someone not having paid the bills. I had to disable 2FA and was uneasy until it equally mysteriously started working again, maybe 6 months later.
The issue isn't the end users – they're just the ones with the problems. This could happen to you as well. The issue is that they aren't receiving the code because (example) twitter no longer uses Vodafone (whether because of not paying or not like the others mentioned I don't know, nor do I really care) and consequently the messages aren't sent in the first place.
POTS (plain old telephone service) – i.e. copper – requires two or more (three way call and also party lines) parties (which makes sense, unless you like talking to a disconnected phone or a phone with no service… personally I prefer talking back to the voices that only speak to me). Twitter/others aren't telecos and as such they will have to pay like others (and actually, some telcos will pay others for equipment and this also goes for ISPs) and more generally they're on the terms of the carrier in question (like Vodafone). But instead of POTS, here, you have mobile phones (over cell technology which is why the US calls them cell phones – and calls the phones as well, I suppose – and is why they have cell sites) – you still need someone to communicate with, though. The only difference, perhaps, is mobility costs more (depending on provider, of course) and has other problems (that some may never have to experience but the problems still exist – of course no service is immune to problems but wireless has more problems than wired).
This has nothing to do with twitter users; this has everything to do with twitter and vodafone. It's like this: if a company doesn't pay their ISP and their service is terminated then the customers of the company (that didn't pay the ISP – or the ISP is having an outage, maybe) won't be able to access the company's website. That's what this is only the provider isn't Internet service. If you still don't understand this this link might help you see the different services twitter wants with mobile carriers: