Twitter has confirmed that it is now only offering SMS-based two-factor authentication as an option to people who pay for its Twitter Blue subscription service.
In a blog post, the company confirmed that the change would kick in on March 20. After that date anyone who already has SMS two-factor authentication enabled will see it disabled, meaning they’ll have no second factor available to them. The security of their Twitter account will be severely impacted as a result.
The move comes as Twitter is reportedly losing money hand over fist, with owner and CEO Elon Musk thought to be looking for ways to save cash where possible. Charging people for SMS-based 2FA appears to be his latest idea.
It’s important to use two-factor authentication because it ensures that even if someone has your username and password, they won’t be able to access your account or data. In the case of SMS and Twitter, logging into the social network would trigger a text message to be sent to a trusted phone number, authentication code in tow.
Twitter would then require that the code be plugged into the log-in form, or else access wouldn’t be granted. Now, that won’t happen unless you pay at least $8 monthly for Twitter Blue.
However, SMS-based two-factor authentication is problematic. Twitter says it’s had an issue with bad actors(opens in new tab) and abuse, but the real problem is that it isn’t all that secure.
With SMS handling two-factor authentication, someone only needs access to that phone in order to intercept the code generated by sites like Twitter. That could mean stealing a phone or, more likely, some sort of SIM swap attack(opens in new tab).
As a result, physical security keys or software code generators are a better option. Some of the best hardware security keys even have a wireless component, too. In the case of Twitter, a software two-factor authentication solution is a great option; for most people, it happens to be the only one as well. Thankfully, these options are remaining free, but as Twitter’s own Transparency reports reveal(opens in new tab) 75% of all of its users are SMS 2FA users and will need to change their settings or cough up.