Twitter Limits SMS-Based 2FA to Twitter Blue Members – Starting from March 20, Twitter will discontinue the use of SMS-based two-factor authentication (2FA) for those who don’t have a Twitter Blue subscription. “While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors,” Twitter wrote in a Friday night blog post.
“So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.” Individuals who have not subscribed to Twitter Blue still have the option to employ an authenticator app or a security key for 2FA. However, if they are currently using SMS for account authentication, they must transition to an alternative method within 30 days. “After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method.”
“At that time, accounts with text message 2FA still enabled will have it disabled,” Twitter says. Using SMS for multi-factor authentication is considered the least secure form of 2FA. Hackers have been able to deceive mobile service providers into duplicating the phone number of a victim to a new SIM card which they insert into their own device to gain access to an SMS 2FA code.
Nevertheless, many services have faced difficulties in persuading users to utilize multi-factor authentication, and a code sent through text messaging is still better than no additional security layer at all. Twitter Blue is the company’s subscription-based service; it offers features like the ability to edit tweets for $8 per month. Elon Musk, the company’s new CEO, has made a big push to boost subscribers to the service by putting some features behind a paywall.
Thus far that’s largely focused on vanity options like the blue checkmarks, though, rather than security features that could put a large number of the site’s members at risk if disabled. On Twitter, Musk framed the move as a cost-cutting measure. “Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages,” he wrote. However, in order to check the status of 2FA on your Twitter account, navigate to Settings & privacy > Security and account access > Security > Two-factor authentication and choose between an authentication app or security key.
READ MORE
Twitter Delays Launch of its New API Platform