Twilio breach shows massive vulnerability of security measures

When the second factor is compromised

Twilio is a company that provides customers with 2-factor authentication tools. “2FA” or even multi-factor authentication has become standard security practice for web accounts—users are often asked to confirm actions like logging in or authorizing payments by entering in a code sent to their phone (or email account). One of the major providers of SMS services, Twilio also offers a 2FA app called Authy.

But Twilio got hacked earlier this year. There was a pretty severe compromise:

“Once inside Twilio's systems, the hackers accessed customer data using administrative portals, accessed Authy 2FA accounts and codes, and registered their own devices to obtain temporary tokens.”

So the telephone network is already pretty insecure at the level of user phone numbers (with vulnerabilities like SIM swapping) but now Twilio has also shown worrying weaknesses. As much help as multi-factor authentication can offer, it is not without its leaks.

¹

Nothing is watertight, of course, but other companies offer a version of an authentication app—I have used the one from Microsoft for example. These apps generate codes or get them from the Internet instead of using the telephone network—they are hypothetically more secure, but as we have now seen they do rely on a centralized provider to keep data safe.

²

1

At this point the second “factor” always seems to come from some outside source—a phone number, an app, an email, a device—always something exogenous to the person logging in. Possibly, in the future using a second factor based on a user-controlled key could be made more available.

2

Just keep in mind that you have to be careful when changing phones as the authenticator app and its data may not transfer over as smoothly as the phone number does, and that only a small but growing percentage of companies offer using an app-based factor as an option.