Changes are happening again on Twitter: Elon Musk’s social network has announced that securing accounts via SMS-based two-factor authentication (2FA) will now be an exclusive option for paying Twitter Blue users.
According to the blog post (opens in new tab) If you explain the change, you won’t be able to set up 2FA with SMS after March 30 unless you pay for Twitter Blue. If you’re currently using this method to protect access to your account, you have 30 days to subscribe to Twitter Blue or switch to another 2FA method, such as an authenticator app or a security key.
“We encourage non-Twitter Blue subscribers to use an authenticator app or security key method instead,” Twitter said in its statement. “These methods require you to have physical possession of the authentication method and are a great way to make sure your account is secure.”
As of March 20, 2023, only Twitter Blue subscribers can use text messages as a two-factor authentication method. Other accounts can use an authenticator app or security key for 2FA. Read more here: https://t.co/wnT9Vuwh5nFebruary 18, 2023
Pay or transfer
In its blog post, Twitter cites abuse of the SMS 2FA system by “bad actors” as one of the reasons for the switch. By an Elon Musk tweet (opens in new tab)it also appears that Twitter lost a significant amount of money due to bot accounts that abused the SMS 2FA method.
Now, if you want to stick with texting to set up Twitter on new devices, you’ll have to pay for the privilege. Twitter Blue costs $8 a month, or $11 a month if you sign up on Android or iOS, and it’s also available for a whole year for $84. Among other perks, you can edit and unpost tweets.
While it may not be the worst change Twitter has seen under Musk’s leadership, the move has generated quite a bit of anger — on Twitter, of course — from those who see it as putting one of the most crucial security measures behind a paywall.
Analysis: set up two-factor authentication, install an app
Two-factor authentication is definitely something you should set up on Twitter and everywhere else (here’s how (opens in new tab)): it adds an extra level of protection, meaning something else is needed to log into your account on unknown devices, besides a username and password (data that can be stolen from you or even leaked online).
That “something else” could be a text message sent to your phone, but at this stage texting is the weakest option for 2FA. Text messages can be intercepted and redirected, and it’s a much better idea to install a free app on your phone to generate an authentication code instead – one of the available ones is Authenticator (opens in new tab) from Google and Authy (opens in new tab).
The weakness of SMS 2FA begs the question of why Twitter didn’t just do away with it altogether – but it seems there are still users out there who really need this functionality. It’s not clear how big this group is, but anyone still in it will now have to pay for the privilege of having their 2FA codes sent via SMS.
One of the risks here is that SMS 2FA users who don’t want to pay will simply turn off 2FA altogether – something we certainly don’t recommend. To keep your account as secure as possible, you should set up 2FA and use a mobile app as your authentication method, whether or not you’re subscribed to Twitter Blue.