[testific8]

2FA has historicially been broken because it is usually attached to a phone number, and phone service providers are suseptable to social engineering. What twitter (and other websites) should be using is PGP, where the user holds the secret key, and there are separate forms on messages to view PGP signatures, and forms on accounts to view their public keys.

[35fbe7d3d5b9]

PGP is possibly the only workflow worse than SMS based 2FA for humans.

[yjftsjthsd-h]

Depends on how you mean "worse"; PGP is very secure with poor UX, SMS is less secure but honestly decent UX.

[35fbe7d3d5b9]

Separating UX and "security" from a cryptosystem is impossible. Poor UX leads directly to security vulnerabilities.

Heck, we've seen that in library code: your AES implementation may be sound, but if the library interfaces make it easy to reuse an IV, or use a null IV[1], you have a broken cryptosystem.

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5408

[testific8]

How so?

[35fbe7d3d5b9]

I don't even know where to start: backwards compatibility to 90s era crypto, no forward secrecy, a web of trust model that encourages you to have a long-lived key – because with short-lived keys your trust has to be rebuilt after expiry, a cryptosystem that violently leaks metadata...

PGP should've died years ago; there are far better options today.

[input_sh]

Convincing non-techies to use GPG just occasionally is going to backfire pretty quickly.

And I say this as someone who works at a journalist organization where if your editor catches you not using it, you're definitely gonna get scolded.

Software 2FA is much easier to enforce.