December 16, 2022 By Mike Elgan 4 min read

Twitter has been verifiably bonkers since electric car and rocket mogul Elon Musk took over and reworked the social network’s long-standing verification system. This provides a valuable lesson about the link between verification or authentication and between security and usability.

It all started in early October when Musk closed the Twitter deal and claimed that the purchase would accelerate the creation of an “everything app” called “X”. Based on Musk’s history and statements, it appears that “X” would be a Weibo-like super app combining banking, transactions, ticket and hotel booking, calls and other apps and, of course, social networking and messaging.

The Twitter Blue experiment

Musk promised to replace Twitter’s “lords & peasants” verification system with a “power to the people” system that would give Twitter Blue subscribers a blue verified badge for $7.99 per month. This Twitter Blue subscription would also prioritize subscribers in replies, mentions and searches. In other words, Twitter would de-prioritize non-subscribers, equivalent to an email spam filter.

While the press called the scheme “paid verification”, it was nothing of the sort. Identities would not be verified.

Then Twitter rolled out the verification badge for unverified Twitter Blue subscribers, and chaos immediately ensued. Fake accounts with paid-for verification badges emerged for politicians, sports figures and others. They also popped up for brands like PepsiCo, Nintendo and, most publicly, the pharmaceutical company Eli Lilly.

The newly “verified” Eli Lilly fake account tweeted that insulin would be made free. A temporary dip in the company’s stock price was attributed by some to the tweet. Other major brands, companies and people were similarly “verified” and then spoofed.

Some Twitter users claim to have been verified anonymously using a fake ID, VPN software and throwaway email addresses. One claimed to use a “masked” debit card with the mailing address of Twitter’s headquarters, and he was still “verified”.

A new verification policy

As a result of the confusion, Twitter decided to suspend and later relaunch its Twitter Blue verification badge. Some days later, Twitter outlined a new verification badge policy, plus a new date for the rollout: December 2.

The new scheme involves a “painful but necessary” manual authentication process, according to Musk, as well as a new color scheme for verification badges: gold for companies, gray for the government and blue for individual accounts. (It’s unclear where organizations that don’t fit into that scheme — churches, schools, non-profit organizations, clubs and others — will be categorized accounting to badge color.) Musk also said that employees of an organization could display a logo if that organization verifies them as a member.

We don’t know how effective the new verification scheme will be. But we know that Musk thought Twitter could do without it — and was apparently inspired to reconsider after the flight of major advertisers after the verification chaos.

Verification… and authentication

While people often use authentication and verification interchangeably, strongly delineated definitions of these terms offer the most clarity.

Verification usually happens once, at the beginning of participation in a service or system.

Newborn babies get birth certificates, usually authenticated by hospital staff. Subsequent verification stems from that birth certificate, including social security card, driver’s license or ID, passport and more. These documents later verify identity for social media, banking and more.

On Twitter, a notable person verifies who they are, and now they’re verified for all time (or until a billionaire buys the service and changes the verification policy). Whether verified or not, Twitter users must authenticate themselves with passwords and phone numbers.

Verification usually happens one time in any given system. Authentication is a repeated act to demonstrate that the person accessing something is, in fact, the person previously verified. Verification is: “Here’s proof that Mike Elgan is a specific person.” Authentication is: “The person attempting to gain access to a system is, in fact, specifically the previously verified Mike Elgan.” 

Like Twitter, organizations of all types need both verification and authentication.

But Twitter verification is different as well, existing mainly to inform other users about whether a notable person is who they claim, and also for the selection of user benefits (such as the option to see messages only from other verified users). I got verified years ago after complaining to Twitter that dozens of accounts were using my name and profile picture.

Different methods of authentication

Authentication, including multi-factor authentication (MFA) and two-factor authentication (2FA), and verification, such as two-step verification (2SV), all confirm human identity and are all forms of authentication (despite the v-word used in 2SV).

Two-step verification (again, a form of authentication, not verification) involves two steps in a single factor — for example, two pieces of knowledge like a password, plus a mother’s maiden name. Usability is high; security is low.

Two-factor authentication requires two factors, each in a different category — say, knowledge and possession. An example 2FA set might include a password (knowledge), plus an access card, key fob or some other physical security token. Usability and security are both not bad, but not good, either. Bank ATMs use two-factor authentication: A card (possession) and a PIN (knowledge).

Multi-factor authentication can have two or more factors, added to knowledge and possession might be biometric data (a so-called “inherence” factor) or location or time (contextual factors). Three-factor authentication (3FA) is common in higher security scenarios, and might typically include a password (knowledge), a badge scan (possession) and facial recognition (inherence). Usability is lower, but security is higher.

As with everything in security, it’s important to find a balance between security and usability.

Best practices for verification and authentication

The best approach is to embrace methods that improve usability while still employing better security. Passwordless authentication is one example. WiFi fingerprinting is another. Subsequent logins from, say, a remote worker’s home WiFi count as a factor without the user having to take any action.

Tech companies like Microsoft, Apple and Google have all switched to passkeys in place of passwords. Essentially this requires an easier action that replaces knowledge with occasional knowledge but constant inherence. (Adhering to FIDO Alliance standards, passkeys involve cryptographic key pairs stored on devices, which can use on-device biometric systems.) The state-of-the-art for end-user laptops, for example, call for an authenticating password on startup or reboot (occasional knowledge), followed by face or fingerprint recognition (constant inherence) for everyday access to the laptop, to password management software and to other applications and network resources. These technologies boost security and usability at the same time.

The lesson to take from the Twitter chaos is simple. Executives with a superficial understanding of security are correct to push for better usability but should defer to cybersecurity experts on the need for solid verification and authentication.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today