Twitter has been verifiably bonkers since electric car and rocket mogul Elon Musk took over and reworked the social network’s long-standing verification system. This provides a valuable lesson about the link between verification or authentication and between security and usability.

It all started in early October when Musk closed the Twitter deal and claimed that the purchase would accelerate the creation of an “everything app” called “X”. Based on Musk’s history and statements, it appears that “X” would be a Weibo-like super app combining banking, transactions, ticket and hotel booking, calls and other apps and, of course, social networking and messaging.

The Twitter Blue experiment

Musk promised to replace Twitter’s “lords & peasants” verification system with a “power to the people” system that would give Twitter Blue subscribers a blue verified badge for $7.99 per month. This Twitter Blue subscription would also prioritize subscribers in replies, mentions and searches. In other words, Twitter would de-prioritize non-subscribers, equivalent to an email spam filter.

While the press called the scheme “paid verification”, it was nothing of the sort. Identities would not be verified.

Then Twitter rolled out the verification badge for unverified Twitter Blue subscribers, and chaos immediately ensued. Fake accounts with paid-for verification badges emerged for politicians, sports figures and others. They also popped up for brands like PepsiCo, Nintendo and, most publicly, the pharmaceutical company Eli Lilly.

The newly “verified” Eli Lilly fake account tweeted that insulin would be made free. A temporary dip in the company’s stock price was attributed by some to the tweet. Other major brands, companies and people were similarly “verified” and then spoofed.

Some Twitter users claim to have been verified anonymously using a fake ID, VPN software and throwaway email addresses. One claimed to use a “masked” debit card with the mailing address of Twitter’s headquarters, and he was still “verified”.

A new verification policy

As a result of the confusion, Twitter decided to suspend and later relaunch its Twitter Blue verification badge. Some days later, Twitter outlined a new verification badge policy, plus a new date for the rollout: December 2.

The new scheme involves a “painful but necessary” manual authentication process, according to Musk, as well as a new color scheme for verification badges: gold for companies, gray for the government and blue for individual accounts. (It’s unclear where organizations that don’t fit into that scheme — churches, schools, non-profit organizations, clubs and others — will be categorized accounting to badge color.) Musk also said that employees of an organization could display a logo if that organization verifies them as a member.

We don’t know how effective the new verification scheme will be. But we know that Musk thought Twitter could do without it — and was apparently inspired to reconsider after the flight of major advertisers after the verification chaos.

Verification… and authentication

While people often use authentication and verification interchangeably, strongly delineated definitions of these terms offer the most clarity.

Verification usually happens once, at the beginning of participation in a service or system.

Newborn babies get birth certificates, usually authenticated by hospital staff. Subsequent verification stems from that birth certificate, including social security card, driver’s license or ID, passport and more. These documents later verify identity for social media, banking and more.

On Twitter, a notable person verifies who they are, and now they’re verified for all time (or until a billionaire buys the service and changes the verification policy). Whether verified or not, Twitter users must authenticate themselves with passwords and phone numbers.

Verification usually happens one time in any given system. Authentication is a repeated act to demonstrate that the person accessing something is, in fact, the person previously verified. Verification is: “Here’s proof that Mike Elgan is a specific person.” Authentication is: “The person attempting to gain access to a system is, in fact, specifically the previously verified Mike Elgan.” 

Like Twitter, organizations of all types need both verification and authentication.

But Twitter verification is different as well, existing mainly to inform other users about whether a notable person is who they claim, and also for the selection of user benefits (such as the option to see messages only from other verified users). I got verified years ago after complaining to Twitter that dozens of accounts were using my name and profile picture.

Different methods of authentication

Authentication, including multi-factor authentication (MFA) and two-factor authentication (2FA), and verification, such as two-step verification (2SV), all confirm human identity and are all forms of authentication (despite the v-word used in 2SV).

Two-step verification (again, a form of authentication, not verification) involves two steps in a single factor — for example, two pieces of knowledge like a password, plus a mother’s maiden name. Usability is high; security is low.

Two-factor authentication requires two factors, each in a different category — say, knowledge and possession. An example 2FA set might include a password (knowledge), plus an access card, key fob or some other physical security token. Usability and security are both not bad, but not good, either. Bank ATMs use two-factor authentication: A card (possession) and a PIN (knowledge).

Multi-factor authentication can have two or more factors, added to knowledge and possession might be biometric data (a so-called “inherence” factor) or location or time (contextual factors). Three-factor authentication (3FA) is common in higher security scenarios, and might typically include a password (knowledge), a badge scan (possession) and facial recognition (inherence). Usability is lower, but security is higher.

As with everything in security, it’s important to find a balance between security and usability.

Best practices for verification and authentication

The best approach is to embrace methods that improve usability while still employing better security. Passwordless authentication is one example. WiFi fingerprinting is another. Subsequent logins from, say, a remote worker’s home WiFi count as a factor without the user having to take any action.

Tech companies like Microsoft, Apple and Google have all switched to passkeys in place of passwords. Essentially this requires an easier action that replaces knowledge with occasional knowledge but constant inherence. (Adhering to FIDO Alliance standards, passkeys involve cryptographic key pairs stored on devices, which can use on-device biometric systems.) The state-of-the-art for end-user laptops, for example, call for an authenticating password on startup or reboot (occasional knowledge), followed by face or fingerprint recognition (constant inherence) for everyday access to the laptop, to password management software and to other applications and network resources. These technologies boost security and usability at the same time.

The lesson to take from the Twitter chaos is simple. Executives with a superficial understanding of security are correct to push for better usability but should defer to cybersecurity experts on the need for solid verification and authentication.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…