Twitter has announced that starting with March 20, users who don’t pay the Twitter Blue subscription will no longer be able to use the SMS-based two-factor authentication (2FA) option.
“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors,” the company said. Twitter CEO Elon Musk further explained the rationale behind the move by claiming that “Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages.”
For good or for bad
Some security professionals have been commenting the move, some arguing that it’s good because it will push users away from a relatively easily bypassed 2FA option towards more secure ones: authenticator apps that provide one-time access codes and hardware security keys.
Others pointed out that even SMS-based 2FA is better than just securing accounts with a password. According to the last known 2FA usage numbers (from 2H 2021), the SMS-based 2FA option is the most widely used by far, because less tech-savvy users find it to be the easiest to understand and set up.
It now remains to be seen if this latest move by Twitter will push those users towards a better 2FA option, a worse security decision (using just a password), or towards getting the Twitter Blue subscription, which is $8 per month.
Users are already being alerted about the upcoming change and urged to make a decision before March 20, because the text message 2FA option will then be disabled automatically.
“Disabling text message 2FA does not automatically disassociate your phone number from your Twitter account. If you would like to do so, instructions to update your account phone number are available on our Help Center,” Twitter explained.
Given the Twitter’s many operational glitches since Musk’s acquisition and gutting of various Twitter teams, I would also urge users to switch the option off or switch to another 2FA option sooner rather than later, because they just might end up getting locked out of their account due to unintended and unforeseen malfunctions. To do so, they must log in to their Twitter account and go to Settings & Privacy > Security and Account Access > Security > Two-factor Authentication.
As you can see, the SMS-based 2FA option is already unavailable to Twitter users who don’t pay for using Twitter:
Naturally, security professionals would like to see everyone using a strong 2FA option, but many users find the prospect of setting up and using an authenticator app or security key daunting.
If you end up foregoing 2FA altogether, you should change your Twitter password to a long and complex one, never reuse it for another account, and be extra careful not to fall for Twitter-themed phishing schemes. If you’re not using a password manager to remember and input that password for you, you should at least create a browser bookmark pointing to the legitimate Twitter login page and make sure to always use it to access the service.