Two weeks later of extreme chaos on Twitter, users flock to the site and flee. More quietly, many probably probe their accounts, check their security settings, and download their data. But some users report problems when they try to generate two-factor authentication codes via SMS: the texts don’t come or they are delayed for hours.
The glitchy SMS two-factor codes mean that users can lose access to their accounts and lose control of them. They may also find that they cannot change their security settings or download their data via Twitter access function. The situation also provides an early indication that problems within the Twitter infrastructure are bubbling to the surface.
Not all users have trouble receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may have no reason to test the mechanism. But users themselves have been reporting problems on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The collapse comes less than two weeks after Twitter laid off about half of its employees, about 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have gone to great lengths to tweak Twitter’s offerings and build new features according to new owner Elon Musk’s agenda.
Reports indicate that the company may have laid off too many employees too quickly and that it has attempted to take back some employees. Meanwhile, Musk has publicly said he is instructing staff to shut down some parts of the platform. “Part of today will be disabling the ‘microservices’ bloatware,” he said tweeted this morning. “Less than 20 percent is actually needed for Twitter to work!”
Twitter’s communications department, which reportedly no longer exists, did not respond to WIRED’s request for comment about problems with SMS two-factor authentication codes. Musk didn’t reply to one tweet ask for comment.
“Temporary outages of multi-factor authentication can result in people being denied access to their accounts. But what’s even more worrying is that it will encourage users to just turn off multi-factor authentication altogether, making them less secure,” said Kenneth White, co-director of the Open Crypto Audit Project and an experienced security engineer. “It’s hard to say exactly what’s causing the problem so many people are reporting, but it certainly could be the result of massive changes to the web services that have been announced.”
Text messages aren’t the most secure way to receive authentication codes, but many people trust the mechanism, and security researchers agree it’s better than nothing. As a result, even intermittent or sporadic outages are problematic for users and can pose a risk.
Twitter’s SMS authentication code delivery system has repeatedly had stability issues over the years. For example, in August 2020 Twitter Support tweeted, “We are investigating account verification codes that are not delivered via text or phone call. We apologize for the inconvenience, and we will keep you posted as we continue our work to resolve this.” Three days later, the company added, “We have more work to do on resolving the verification code delivery, but we are making progress. We’re sorry for the frustration this has caused and appreciate your patience as we continue to work on this. We hope it is resolved soon for those of you who have not received a code.”