FTC Strengthens Multi-Factor Authentication Standards in Twitter Order

Published: Jun. 15, 2022

Twitter agreed to pay a $150 million penalty to settle Federal Trade Commission allegations that the company violated its 2011 consent order, in part, by collecting user phone numbers and email addresses for security purposes before also using them improperly to target ads. 

In addition to the financial penalty, the FTC’s order generally requires Twitter to offer its users the ability to secure their account with multi-factor authentication methods that do not require a phone number. The case highlights the FTC’s increasing focus on the overlap between privacy and information security.

The Federal Trade Commission has touted the security benefits of multi-factor authentication for years. The Twitter order is another step in the FTC’s move toward a more secure type of multi-factor authentication, like authentication apps or physical security keys; it has also left the door open to other equally secure authentication options. A previous order in March 2022prohibited a company that suffered a data breach from continuing to use security questions and answers for account access. 

“Research shows that these alternatives provide greater security, as they can protect users against credential phishing,” FTC Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter said in a joint statement.  

Twitter had already been under an FTC order stemming from a 2011 settlement concerning the company’s alleged data security failures, which enabled the Commission to obtain financial penalties this time around. Going back nearly a decade, the company has prompted users to provide their phone number and email address for multi-factor authentication and account recovery. In 2019, Twitter publicly disclosed the data may have been used for advertising. The FTC found that Twitter’s disclosure in its privacy policy that it may use personal information collected for advertising purposes did not override the just-in-time statements to users suggesting that Twitter would use the phone numbers to help secure their accounts. 

The order also requires a blended “privacy and information security program.” In addition to the FTC’s more standard privacy and information security requirements, the program also requires detailed privacy reviews when a new product or practice is found to pose a risk to certain types of personal data. Those reviews include an inventory of how the information is processed, the type of notice and consent given to users, to whom the information is shared, and other controls.  The order also requires Twitter to notify the FTC if it should experience a data breach.

As Commissioners Wilson and Phillips describe in their Concurring Statement, this Twitter settlement reflects the evolution of FTC privacy and security orders over time.  Here, companies can glean that the FTC increasingly would like non-SMS multi-factor authentication to be considered standard, and companies should be mindful of regulators’ expectations for accurate and complete privacy disclosures concerning information collected for security purposes.