Twitter’s Update on Two-Factor Authentication
In the middle of February, Twitter announced on its blog that, starting from February 15th, users without the Twitter Blue subscription won’t be able to rely on SMS two-factor authentication. That is because, according to Twitter, this form of 2FA has been abused, hence the decision to limit the availability of SMS-based two-factor authentication to Twitter Blue subscribers only.
Twitter offers iOS users an annual plan which adds up to $114.99, saving them $17.01 a year. Android users presumably pay $132 annually since Twitter didn’t specify on its Help Center page that Android users would get special deals, such as users with iOS mobile devices.
Source: Twitter
That means that from February 15th, Twitter won’t allow users to utilize the SMS 2FA unless they’ve paid for the Twitter Blue subscription. Additionally, those who don’t have a Twitter Blue subscription but use this authentication method will have 30 days to disable it and choose a different verification option. So, after March 20th, non-Twitter Blue subscribers won’t have the option to use SMS as an authentication method, and this setting for users who refuse to change it will be disabled.
We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead. These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure.
Twitter writes in its blog post about the upcoming two-factor authentication update.
Elon Musk also shared on Twitter that threat actors abusing Twitter’s SMS two-factor authentication method cost the company roughly $60 million a year.
Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages
— Elon Musk (@elonmusk) February 18, 2023
How Will Elon’s Decision Affect the End User?
Twitter’s announcement stirred up the crowd, and many users were outraged about this seemingly absurd update. Some even suggested that Twitter is compromising user safety to cut costs, which could be a plausible explanation for the update.
Now, why is Twitter’s two-factor SMS-based authentication a potential privacy concern?
For starters, two-factor authentication is an essential feature that adds an extra security layer to your account. While quite a few 2FA types exist, Twitter offers three two-factor authentication methods – SMS account verification, security key, and authentication app.
According to Twitter’s report published long before Elon Must initiated Twitter’s acquisition, 74.4% of Twitter accounts use the SMS authentication method, 28% authentication app, and only 0.5% use security keys to improve account safety as of December 2021.
Photo illustration: Freepik
It’s no surprise that the majority of users rely on SMS codes instead of other authentication methods. For most people, receiving an SMS with a security code is a lot easier than employing other options. For example, some multi-factor authentication mobile apps will do a marvelous job at keeping your account unbreachable but might require multiple credentials, which, again, is too much hassle for many users.
Users not wanting to pay for a Twitter subscription will lose the privilege of using SMS authentication. As a result, they could potentially drop the idea of employing additional security measures besides passwords. If user accounts become easily breachable, lots of people could lose access to their accounts.
Making users pay for a feature that was free for a very long time is a very bold move and could result in a disaster. True, people still have the option to choose and switch to other authentication methods or invest in a Twitter Blue subscription. However, as stated earlier, SMS was the easiest solution, and people prefer convenience. In addition to charging for convenience, Twitter isn’t doing a good job of helping people switch to other, less user-friendly methods.
Some users suggested potential solutions to this problem, such as switching to email-based 2FA and educating account holders about more secure options.
Could be temporary mitigated by email based 2FA, then educate the user about the app-based ones.
— sym.btc (@SymbianSyMoh) February 18, 2023
Twitter, however, didn’t announce such procedures, leaving users with a difficult choice. More importantly, many account holders aren’t happy with the announcement, meaning Twitter could lose many users at the end of March 2023.
Did Elon Make the Right Choice?
SMS authentication adds more security to your account than using a password only. But, as there’s no such thing as ultimate safety, this authentication method is exploitable, just like other two-factor authentication options.
Of course, more secure methods exist, including security keys and authentication apps, the authentication options Twitter offers its users. So, in a way, Twitter could do us all a favor by enforcing new account verification rules.
SMS 2FA is NOT secure. You're not losing anything. Yes, terrible….really terrible messaging, but Twitter is making you more secure by forcing you off SMS 2FA to using an MFA app.
— NetworkChuck (@NetworkChuck) February 19, 2023
Use an MFA app. I use Dashlane for most stuff. Google authenticator and others are great too.
Still, we don’t know how many users will refuse to switch to Twitter Blue or other authentication methods, so it’s too early to question whether Elon made the right choice. What we can say for sure is that SMS authentication is the least secure account verification option, and improving security will benefit all. We only hope Musk and his team know forcing people into change again, could backfire. But then, maybe the risks were carefully calculated, and his decision to eradicate SMS verification could result in a better, more secure Twitter.