There’s more to be said about the Twitter hack, and more that won’t be said (we still think the ‘official’ story is the tip of the iceberg), but this writeup has an important and illustrative point:
“Attackers were able … to update the email address on file for the account, revoke any 2FA [two-factor authentication] settings, and then do a password reset to gain access to the account. This worked to their advantage in that when a Twitter employee updates the email address on file it doesn’t send a notification to the owner of the account, so after the email address is updated an email about 2FA being revoked goes to the NEW [i.e., bad guy’s] email address, and then when they perform a password reset it goes to the new [bad guy’s] email address as well”.
There’s three points that are worth noticing here:
The tradeoff between usability (in this case, helping Twitter users who are locked out) and security is alive and well. This tradeoff is a problem to manage, not a problem to solve.
Email addresses are in a weird place between “public knowledge” and “important part of the authentication process”. More can and has been said, but email isn’t secure and can’t be made secure.
Where you can’t implement a preventative control (in this case, getting email out of the authentication process), detective controls should be put in place. Hindsight is always 20/20, but Twitter should have notified both the new and the old email addresses when a profile’s email was changed. That’s easy to say now, of course.