Twitter is transitioning away from from its two-factor authentication (2FA) provider, Mitto AG, a Swiss communications company.
The social media giant broke the news to US Senator Ron Wyden of Oregon. It is noted that Twitter’s decision to move away from Mitto AG came after allegations that its co-founder and Chief Operating Officer, Ilja Gorelik, sold access to Mitto’s networks to surveillance technology firms. Talking to Bloomberg, an aide close to Wyden said that Twitter cited media reports as a significant factor for its decision.
In December, Bloomberg reported that Gorelik had sold access to Mitto’s networks between 2017 and 2018. The companies that bought the access reportedly used it to help governments conduct secret surveillance against users through their phones.
Mitto AG is a top provider in its industry and boasts a roster of big-named clients like Alibaba, Google, LinkedIn, Telegram, Tencent, TikTok, and WhatsApp. Representatives of the company have told its clients that Gorelik departed the company after these allegations arose. It isn’t clear if Gorelik left of his own accord or was pressured.
As of this writing, Twitter has yet to name a new 2FA provider.
So where does that leave Twitter users who use SMS 2FA? Although Twitter hasn’t hinted at temporarily suspending this particular option, users may opt to use two other forms of 2FA on offer: An authentication app or a security key. Twitter has a ready help page here on how to sign up.
The curious case of Mitto AG
While many may have been shocked by events involving Mitto, critics argue that the mobile industry has been known for such abuses for years.
“For years mobile industry organizations such as the GSMA have been aware of operators selling network access resulting in targeted surveillance,” Gary Miller, a mobile security researcher at Citizen Lab, told Bloomberg. “The lack of regulation and accountability has brought unnecessary privacy and security risks to mobile users across the globe.”
The GSMA is an organization that represents the interests of the mobile industry with groups/chapters all around the globe. When interviewed about the Mitto case, a spokesperson from the group said that GSMA “takes network security and privacy very seriously and plays a leading role in creating a safer experience for mobile subscribers.”
Dario Betti, CEO of the Mobile Ecosystem Forum, of which Mitto is a member, didn’t comment on the Mitto case but said in a broader context that abuses pose “a threat to the market and the market has to close down all these bad behaviors.”
“This is an industry built on trust, and we need to maintain that trust,” he added.