#SMS #MFA is disliked by a lot of tech professionals and companies because it is susceptible to a variety of attacks, especially targeted attacks.
BUT it remains one of the best and easiest options for people who are difficult to onboard to device-based MFA and (in my personal experience) a good stepping stone to other device-based MFA methods.
Let's look at Google's 2019 research ino the subject. https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ab2bedf04f6d4ff60c59b502809c2f151373de54.pdf
Of all of the various device-based callenge methods, only SMS gains even partial fulfillment in frictionless onboarding and while you do have something to carry, you have nothing _additional_ to carry or install beyond what most people already are set up with.
I have tried, for example, to onboard people with security keys and they _keep losing them_ or _disabling them_.
They don't have the ability to plug it into their phone, they forgot to charge it, they left it at home as our society goes more and more keyless, it fell out of their wallet, it stopped working because fairies, it got wet…
That ease of use is a _huge_ factor in onboarding and keeping people using them.
Also while SMS MFA is not perfect by a long shot and is especially susceptible to spear phishing it works _pretty well_.
Is it as good as other options? Heck no!
But would I describe it as "terrible" the way some commentators do? Eh, not really. Preventing 76% of targeted attacks and 100% of bot attacks is certainly not nothing.
When we look at the adjusted pass rate—users who actually get in successfully via the method—it looks pretty good as well, and certainly better than the other options listed.
In short: this is a system that is very easy for your average customer to onboard with and use.
#TOTP tokens would seem to be easy enough—you already have your phone on you and it is usually in an app—but I can't tell you the number of people I've seen run into challenges when they change phones. Especially if the previous phone was lost or destroyed.
They don't remember their authy password. They never printed their backup keys. Google Authenticator doesn't transfer between devices. They forgot to transfer the number.
SMS just… works in these situations.
Completely anecdotally (in a thread with a lot of anecdata already) I've also found it easier to _upgrade_ people from #SMS to Some Other Method™ in the future.
Once you get their foot in the door and they get into the habit of using #MFA, it is easier to get them to add other methods and thus shrink their attack surface.
Maybe they leave SMS as a backup for a while until they are confident, that's still a huge win: the attack surface of SMS as a backup is smaller than daily use.
Does any of this say that #SMS #MFA is _better from a security standpoint_?
For an individual, _hell no_. Especially if you are in a high profile situation (e.g., jack on twitter), have privileged access to a company, or would otherwise be a more tempting target to a dedicated attacker.
But is it "terrible"?
I'd argue that _if you factor in usability_ the answer to that is a resounding **no**.
So back to #Twitter.
Compromising #twitter accounts, except for the highest profile situations or situations where they are using it for OAuth into something more critical, is mostly going to look like a bot attack or a general phishing attack.
Preventing 95+% of these sorts of things is incredibly valuable.
Turning that off is _unconscionable_.
OTOH, f you truly believe that it is terrible, _leaving it enabled for your highest engagement accounts is not good either_.
The _only_ light in which this decision makes sense that I can ascertain is that Musk is simply _incompetent_.
Not diabolical, not calculating, not brilliantly trying to destroy twitter for leftests or convert it. Any of those things _may_ be true (separate argument), but in terms of this sort of decision:
He's just _not competent in this space_ and has no idea what he is doing.
