/>
X
Innovation
Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process

'ZDNET Recommends': What exactly does it mean?

ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.

When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.

ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.

Close

Stop using Twitter to log in to other websites

With Twitter's growing technical problems, you can't rely on it as your single sign-on for other sites.
2FA on a tablet and phone
Getty Images/iStockphoto

With all of Twitter's ever-growing technical problems, I'd missed an elephant in the room-sized disaster. Fortunately, a friend reminded me that many people use Twitter's log-in as their login for other websites. Eep! You need to stop doing that right now.

Why? Because part of Twitter's log-in system is already broken. Twitter's text two-factor authentication (2FA) started breaking on Monday, Nov. 14. This came after Twitter CEO Elon Musk announced that Twitter would be "turning off the 'microservices' bloatware."

Musk may be great at launching rockets, but that may not translate to accuracy in identifying microservices bloatware. One or more of those services was essential to 2FA (two-factor authentication) using text messages. Text, aka SMS, 2FA is the most commonly used form of 2FA. The result of this removal is that if you had 2FA set to protect your account from hackers, you can no longer use it to change your password or log back in if you thumb-finger your password. 

Also: Best Twitter alternatives

Ian Coldwater, Kubernetes Security co-chair and Twilio architect, who knows a thing or two about security and microservices, tweeted, "The microservice that delivers SMS-based 2FA codes is broken. There are also reports of backup codes being broken. If you have SMS 2FA, don't log out."

Coldwater recommended staying logged in and changing your 2FA method from text message to email or an authenticator app or a physical security key (such as a YubiKey).

So much for Twitter. But, what's potentially even worse is if you use Twitter for single-sign-on (SSO) on other sites, you could also be blocked from them. As Coldwater tweeted, "If you have any apps or sites you log in to connected to your Twitter account via OAuth, I STRONGLY recommend changing that right now while you still can."

To change your Twitter 2FA, go to Settings & Support > Settings & Privacy > Security & Account Access > Security > Two-factor authentication.

If text has been chosen for your 2FA method, switch from that to either an authenticator app or a security key. Just follow the instructions, and you should be fine… for now.  

Also: Mastodon isn't Twitter but it's glorious

Another thing to keep in mind: You often see SSOs as an invitation on sites as an easy way to log in without creating yet another password. Instead, you just use your Google, Microsoft, Facebook, Apple, or Twitter login name and password instead. 

That's fine. If you trust the major site to stay stable and protect your data. But in the current circumstances, Twitter isn't trustworthy in that sense.

You should immediately go to those sites where you use Twitter to log in and replace it with something -- anything -- else. To find out which sites you're using Twitter as your SSO for, go to the Twitter app or website and check Settings & Support > Settings & Privacy > Security & Account Access > Apps & sessions.

Once there, check Connected Apps for applications that have read-write permissions to Twitter or vice versa. Then, check Account access history for sites that have used Twitter for logins recently. 

Armed with this information, go to the sites and services you've found and switch to another, more stable login and password. The way things are going, it's only a matter of time before there's another Twitter tech crackup, and you don't want to be locked out of other sites when -- not if -- Twitter fails.

Related Stories:

Editorial standards

Related

Elon Musk tries to start a Twitter fight with Apple
elon-musk-twitter

Elon Musk tries to start a Twitter fight with Apple

Why Hive Social is not a viable Twitter alternative (yet)
hive-logo

Why Hive Social is not a viable Twitter alternative (yet)

Elon Musk meets Tim Cook, says Twitter row was 'misunderstanding'
elon-musk-twitter

Elon Musk meets Tim Cook, says Twitter row was 'misunderstanding'