A simple example of two-factor authentication in action would be to have a website send you an SMS when you attempt to login, containing a randomly generated number as a challenge code.
You then need to enter that number to complete the login and authenticate you are who you say you are (or at least, in possession of that person’s mobile phone which is unlikely to be in the hands of the typical identity fraudster).
So far, so neat.
But what happens when – without warning – your mobile phone company stops sending you the SMS messages? How are you supposed to enter the random number and log into the account if you are never told what the number is?
As Juha Saarinen of the New Zealand Herald describes that’s precisely what’s happening right now for Kiwi Twitter users who rely upon Vodafone for their mobile service.
Sure, you can probably survive without the ability to send and receive your Twitter updates via SMS, but if you signed-up for 2FA to secure your account you’re shafted. Because you can’t even log into Twitter to disable 2FA!
According to reports, those who rely upon Facebook SMS messages are similarly finding themselves up the creek without a paddle.
Saarinen says that a Vodafone New Zealand spokesperson confirmed to him that the SMS texts are no longer being sent from the social networks, because the likes of Twitter and Facebook aren’t paying up:
“To be clear, we are not ‘blocking’ any service: we are simply applying to Twitter and Facebook the same principles that apply to all other customers on all Vodafone networks in requiring payment for the use of services. It’s important to ensure that operators are paid appropriately for the use of the networks they build and manage,” the spokesperson said.
In fairness, you can kind of see Vodafone New Zealand’s point. Why should Facebook and Twitter not have to pay for text messages they send via a phone company’s network? I have to pay when I send an SMS, so by what logic should huge social networking companies be exempt?
All the same, it’s once again users who are left in the lurch – because of the lack of warning from either their phone company or Twitter as to what was about to happen.
Judging by the Vodafone New Zealand message board, customers are less than impressed by the quandary they find themselves in.
Breaking the 2FA is seriously offending.
I have been loyal VF customer from the day i moved to NZ 8 and half years ago. After realizing 2FA with Facebook (or Twitter, FB being the more critical one) no longer works I have NO problems dumping VF; anyone who cares about online security does that without a blink. It wont just all my family’s mobiles, but also broadband.
Has anyone over there calculated how many customers you can lose before this becomes more expensive than allowing the SMS? I doubt it.
No excuses or apologies as these will not be accepted; fix it, or lose customers.
Some prior warning from Vodafone would have been nice, so we could choose to turn it off in the interim.
I haven’t seen reports of Vodafone users being locked out of their Twitter and Facebook accounts in other parts of the world yet, but I wonder if it’s only a matter of time.
One solution, of course, is to not use SMS-based authentication with the likes of Twitter and Facebook if your mobile phone provider isn’t supporting the messages.
Instead, you could use app-based authentication (Twitter calls it Login Verifications, and allows users to verify their identity via their official iOS and Android app) to provide an alternative method of receiving your challenge code.
Facebook also offers two-factor authentication – called Login Approvals – which can be delivered via SMS or as an in-app notification.
But none of that is going to be possible to set up unless you’re able to log into your Twitter account in the first place – and it seems Twitter-using Vodafone customers who took the sensible step of enabling two-factor authentication are currently locked out.
For those unfortunate users, the only options appear to be to plead for your phone provider to temporarily re-enable the service or contact Twitter support directly for assistance.
After all, ultimately this is Twitter and Facebook’s problem. They need to sort it out. And if that means they need to reach into their pocket and pay mobile operators to send SMS messages, so be it.
Make sure to follow me on Twitter at @gcluley. If you can access your account, that is…
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.