Did you hear Twitter was recently fined $150 million for selling users’ 2FA information to sell advertising on the platform? As personal data is increasingly exposed and abused, 2FA has become an extra security measure for account access. But it’s vital you take care when setting up 2FA using your personal information. MySudo can help.
What is 2FA?
2FA stands for two factor authentication. It’s an extra security measure that asks you to enter two different pieces of information (factors) to access an account. Each factor helps prove to a system that you own the account or have a right to access it.
Typically, you access an account with a username and password pair, or simply a password. This is single factor authentication. For 2FA, the system requires an extra factor to support the password. The extra factor is usually a numeric code texted to a device you own, but might also be a QR code scan or a biometric factor such as a thumb print or retina scan.
2FA or multi-factor authentication came about because passwords are a fragile security measure and are easily exposed in criminal data breaches, which are at an all-time high.
What did Twitter do wrong with 2FA?
Twitter in the US was recently fined $150 million for selling to advertisers the personal email and phone numbers that 140 million of its users had given for 2FA on their accounts. Instead of respecting user privacy and using the information only for 2FA, Twitter sold it to advertisers so they could serve targeted ads on the platform.
By selling users’ 2FA data for ad revenue, Twitter violated the Federal Trade Commission Act and a 2011 settlement with the FTC in which Twitter had vowed not to give user information to advertisers. FTC chair, Lina Khan, said about the ruling: “As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads.” Twitter’s primary revenue source is advertising, so this is yet another case of Big Tech trading users’ privacy for profit.
Is the information you give for 2FA private and secure?
While 2FA works (Microsoft reports it stops 99.9% of automated account attacks, and Google is also a fan) and we recommend it in the fight against data breaches, 2FA is not foolproof. For example, one way hackers get around 2FA SMS codes is a scam called SIM swapping which, incidentally, is how Twitter CEO Jack Dorsey’s account was hacked in 2019.But the separate question here is whether the companies that collect and store your personal email and phone number for 2FA are truly good stewards of that personal data. Clearly Twitter wasn’t. Who else isn’t?
MySudo protects your personal information in 2FA — and everywhere else
The all-in-one privacy app MySudo is great for 2FA because you don’t have to use your personal email and phone number at all. Instead, when setting up 2FA on an account, you can use the alternative email and phone number you’ve assigned to one of your Sudo digital profiles in the app. (Read: The 5 Big Benefits of Using the Private Email in MySudo, including that between MySudo users it’s encrypted email, and The 6 Big Benefits of Using the Phone Numbers in MySudo, including that it’s a private number and enables encrypted messaging[NB1] ).
What’s more, MySudo lets you use a different Sudo email and phone number to set up each of your account 2FA systems. Through the power of compartmentalization, and using one of our top monthly plans with the most Sudos (e.g. SudoMax has 9 Sudos), you can further disaggregate your account logins and stay more private and secure.
Take that, Twitter!