Changes are afoot at Twitter, again: the social network owned by Elon Musk has announced that securing accounts via SMS-based two-factor authentication (2FA) is going to be an option exclusive to paying Twitter Blue users from this point on.
As per the blog post explaining the change, you won’t be able to set up 2FA with SMS after March 30 unless you pay for Twitter Blue. If you currently use this method to protect access to your account, you’ve got 30 days to either subscribe to Twitter Blue or switch to a different 2FA method, such as an authenticator app or a security key.
“We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead,” says Twitter in its statement. “These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure.”
Effective March 20, 2023, only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method. Other accounts can use an authentication app or security key for 2FA. Learn more here:https://t.co/wnT9Vuwh5nFebruary 18, 2023
Pay up or switch
In its blog post, Twitter mentions abuse of the SMS 2FA system by “bad actors” as one of the reasons behind the switch. From an Elon Musk tweet, it also seems that Twitter was losing a substantial amount of money from bot accounts abusing the SMS 2FA method.
Now if you want to stick with SMS to set up Twitter on new devices, you’ll need to pay for the privilege. Twitter Blue costs $8 a month, or $11 a month if you sign up through Android or iOS, and it’s also available for a whole year for $84. Amongst other perks, you can edit tweets and undo the posting of tweets.
While it’s perhaps not the worst change that Twitter has seen under Musk’s stewardship, the move has kicked up a fair amount of anger – on Twitter, of course – from those who see it as putting one of the most crucial security measures behind a paywall.
Analysis: set up two-factor authentication, install an app
Two-factor authentication is absolutely something you should set up on Twitter, and everywhere else (here’s how): it adds an extra level of protection that means something else is required to log into your account on unknown devices, besides a username and password (details which can be tricked out of you or indeed leaked out online).
That “something else” can be a text message sent to your phone, but at this stage SMS is the weakest option for 2FA. Text messages can be intercepted and redirected, and it’s a much better idea to install a free app on your phone to generate an authentication code instead – among the ones available are Authenticator from Google and Authy.
The weakness of SMS 2FA begs the question of why Twitter didn’t just ditch it altogether – but it would seem that there are still users who genuinely need this functionality. It’s not clear how big this group is, but anyone still in it is now going to have to pay for the privilege of getting their 2FA codes sent over SMS.
One of the risks here is that SMS 2FA users who don’t want to pay will simply switch off 2FA completely – something we definitely wouldn’t recommend. To keep your account as secure as possible, get 2FA set up and use a mobile app as the authentication method, whether or not you’re subscribed to Twitter Blue.