How to set "TOTP authentication (mobile authentication application)" for two-step authentication of Twitter.

　In the early hours of February 18, 2023, Twitter announced a policy to limit two-step SMS authentication to Twitter Blue (paid plan subscribers). This section explains how to set up TOTP authentication instead of SMS authentication.

Why should you migrate in the first place?

Migrate by March 19, 2023

　In order to prevent losing access to Twitter, we are requesting that non-contractor SMS authentication be removed by March 19, 2023. Traditional two-factor authentication such as authentication apps and security keys can be used, so let's move to TOTP authentication

TOTP authentication is more secure than SMS authentication

　Why do we have to move in the first place? I think that there are also users who feel doubt.　TOTP (Time-base One Time Password) authentication is authentication by entering a number (one-time password) on the application that switches every 30 seconds or 1 minute into the service side. Since there is no communication between the terminal side application and the service provider side, but the calculation formula held is the same for both, the same number is output. The result of the calculation is used as a password to authenticate.

　Unlike SMS authentication, in which the service provider sends numbers, it can be said to be a secure authentication that does not leak numbers due to interception on the communication path.

　Furthermore, the fatal problem of SMS authentication is a problem on the mobile company side. For example, it is a technique called SIM hijacking, which hijacks the mobile line contract. Recently, it has become popular overseas.

　In Japan, there is an obligation to verify identity, so it hasn't become so obvious, but recently there have been reports of domestic incidents where SIM cards are reissued and hijacked by pretending to have lost SIM cards with forged driver's licenses .

　Also, while Rakuten Mobile's eSIM issuance procedure is simple and user-friendly, there are some security concerns at the moment (although you don't have to worry too much if you don't reuse passwords at all).　Given this background, TOTP authentication is more secure.

Is it due to cost reduction?

　Also, from the perspective of the service provider, it is not just about improving safety.

　Centralized TOTP authentication will reduce costs rather than authentication using SMS, which costs a few yen per message. That's what the SMS authentication retention only for the billing person is.

How to migrate to TOTP authentication

Setting method

　Open from Twitter settings and set TOTP authentication. We recommend opening the settings on your PC and reading the QR code with your smartphone's authentication app.

　Below are the Twitter settings.

• Settings and Support → Settings and Privacy → Security and Account Access → Security → Two-Factor Authentication → Enable Authenticator App Check

　A QR code will be printed there, so please read it from the authentication app and register.

　You can use "Google Authenticator", "Microsoft Authenticator", "1password", and the iOS standard "password manager" as authentication apps on the smartphone side. Just read the QR code with these.

 Google Authenticator → Add button on the bottom right → Scan the QR code

　If you are a 1password user, add "One-time password" from "Add more" when you "Edit" the item where you have registered your Twitter ID/password, and press the QR icon on the right side of the input field to start the camera. , Please read the QR code of Twitter earlier.

　The password manager, accessible from iOS Settings → Passwords, also allows you to set one-time passwords by scanning the QR.

 Settings → Password → Twitter → Account options → Set verification code → Scan QR code

How to use

　Two-factor authentication runs when you change your most important account settings or when you log in on a new device. The authentication code that you will be asked to enter at that time is a number that can be displayed from the app. This will be your one-time password and you will be able to log in.

digression

Multiple device operation

Don't forget to migrate the authentication app when changing models　. manage it properly.

　When reading the QR code with the Google authentication app, if you read it with multiple devices, you can operate it with multiple devices. Synchronization is not possible. Be sure to export and migrate after purchasing a new model.

　Microsoft Authenticator can be backed up in the cloud with a Microsoft account or iCloud.

　1password, which is a paid password management software, is easy to synchronize, but in order to make TOTP more secure, we do not centrally manage passwords and one-time passwords, only one-time passwords. I think it would be better to manage it with another app.

poor explanation

　The explanation that Twitter suddenly displayed in the app, "Please delete two-factor authentication using SMS", is amazing. It doesn't consider the psychology of the user. In fact, many people were suddenly told to "delete it, use an authentication app or security key" and didn't understand the meaning at all.

　Here's what Twitter should have shown in the app: “ To strengthen security, Twitter will move from two-factor authentication to TOTP authentication, which is more secure. You can use the Google app that many services have already adopted, and it is easy to implement . We will continue to support the costly traditional SMS method only for paying users .”

　Although it was unavoidable to cut unnecessary personnel within Twitter, I think it would be better to at least secure personnel to communicate with users.