Notifications
Clear all
Topic starter
12/06/2026 10:16 pm
TL;DR: Twitter’s SMS 2FA glitches, rushed employee exits, and a reported 5.4 million-account breach exposed how authentication fragility and offboarding failures can converge during organisational upheaval, according to Axiad. The lesson is that access revocation, recovery paths, and phishing-resistant authentication cannot be treated as separate workstreams.
NHIMG editorial — based on content published by Axiad: Twitter's Authentication Nightmare
Questions worth separating out
Q: What breaks when SMS 2FA becomes unreliable during an identity incident?
A: When SMS 2FA becomes unreliable, users can be locked out, pushed toward weaker recovery paths, or lose confidence in the organisation’s access controls.
Q: Why do offboarding failures create so much identity risk?
A: Offboarding failures leave access active after the business relationship has changed, which means the organisation no longer knows who can still reach systems, data, or administrative functions.
Q: How should teams reduce risk from API endpoints tied to identity data?
A: Teams should inventory every API that can return account or profile data, then verify authentication strength, authorization scope, and whether the endpoint can return records in bulk.
Practitioner guidance
- Replace SMS-dependent authentication Move high-risk users and administrators to phishing-resistant MFA such as security keys or authenticator-based methods, and retire SMS for recovery and step-up access where possible.
- Run full-scope leaver revocation Disable directory access, revoke app sessions, remove device trust, and confirm privileged entitlements are gone across every connected system before closing the offboarding case.
- Review API-facing identity paths Identify which APIs can return bulk user data, then validate authentication strength, token handling, and entitlement scope for every service that can reach those endpoints.
What's in the full analysis
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- A closer walkthrough of Twitter's authentication failures and the specific user-facing symptoms reported during the outage.
- The article's own discussion of offboarding risk when large numbers of employees depart at once and access revocation becomes messy.
- The source's treatment of the 5.4 million-record breach and how an API vulnerability tied the identity problem to data exposure.
- Axiad's recommended authentication direction for teams that want to move away from fragile SMS-based 2FA.
👉 Read Axiad's analysis of Twitter's authentication nightmare and offboarding risk →
Twitter authentication and offboarding gaps: what IAM teams missed?
Explore further
13/06/2026 12:55 am
Authentication assurance is only as strong as the fallback path. SMS 2FA looks acceptable until operational stress, carrier delay, or account churn makes it unreliable. In this case, access trust eroded because the second factor itself became unstable, which is a classic sign that the control was too dependent on external delivery conditions. Practitioners should treat fallback design as part of the control, not an exception to it.
A few things that frame the scale:
- 68% of organisations do not know how to fully address NHI risks, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when access revocation is incomplete after mass layoffs?
A: Accountability should sit with the identity and access owners who can confirm that revocation completed across directories, applications, devices, and privileged systems. HR may trigger the process, but IAM and security teams own the control outcome because incomplete offboarding is an access governance failure.
👉 Read our full editorial: Twitter's authentication breakdown exposed the cost of offboarding gaps
