Twitter announced yesterday that starting March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a number code. Security experts have long advised that people use a generator app to get these codes. But receiving text messages is a popular alternative, so removing that option for unpaid users is leaving security experts scratching their heads.
Twitter’s bipartisan move is the latest in a string of controversial policy changes since Elon Musk took over the company last year. The paid service Twitter Blue — the only way to get a blue verified tick on Twitter accounts right now — costs $11 a month on Android and iOS and less for a desktop-only plan. Users booted with SMS-based two-factor authentication have the option to switch to an authenticator app or a physical security key.
“While historically a popular form of 2FA, we’ve unfortunately seen phone number-based 2FA used — and abused — by bad actors,” Twitter wrote in a statement. blog post published last night. “So starting today, we will no longer allow accounts to enroll in the SMS/SMS method of 2FA unless they are Twitter Blue subscribers.”
view more
In a July 2022 report on account security, Twitter said only 2.6 percent of its active users have any form of two-factor authentication enabled. Of those users, nearly 75 percent used the SMS version. Nearly 29 percent used authentication apps and less than 1 percent added a physical authentication key.
SMS-based two-factor authentication is insecure because attackers can hijack targets’ phone numbers or use other techniques to intercept the texts. But security experts have long emphasized that using SMS two-factor is significantly better than not having a second factor of authentication enabled at all.
Increasingly, tech giants such as Apple and Google have eliminated the two-factor SMS option and users have moved (usually over many months or years) to other forms of authentication. Researchers worry that Twitter’s policy change will confuse users by giving them so little time to complete the transition and by making SMS two-factor seem like a premium feature.
“The Twitter blog rightly points out that two-factor authentication using text messages is often misused by malicious parties. I agree that it is less secure than other 2FA methods,” said Lorrie Cranor, director of Carnegie Mellon’s Useful Privacy and Security Laboratory. “But if security is their motivation, wouldn’t they also want to keep paid accounts safe? It makes no sense to allow the less secure method only for paid accounts.”
While the company says the two-factor changes will roll out in mid-March, Twitter users with SMS two-factor enabled yesterday began encountering a pop-up overlay screen advising them to remove two-factor completely or switch to ” the authenticator app or security key methods.
It’s unclear what will happen if users don’t disable SMS two-factor before the new deadline. The in-app message to users means that people who still have SMS two-factor enabled when the change officially takes place on March 20 will no longer be able to access their accounts. “To avoid losing access to Twitter, please remove two-factor authentication by SMS before March 19, 2023,” the notice says. But Twitter’s blog post says two-factor will simply be disabled on March 20 if users don’t adjust it before then. “After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use text messaging as a 2FA method,” the company wrote. “At that time, accounts with text message 2FA that are still enabled will be disabled.”
Twitter did not return a request for comment on March 20 about what will happen to accounts that still have SMS two-factor enabled. The company also declined to answer questions about the possibility that the policy change will result in a significant loss of two-factor adoption on the platform.
On the face of it, this sounds like a good level of concern for user safety, but if you’re paying for Twitter Blue — and therefore being a customer who takes your Twitter use seriously and who should care about Twitter the most – then you can continue to use that less secure authentication method. says Jim Fenton, an independent identity privacy and security consultant. and they’ve done the exact opposite.”
On Friday night, the Twitter account “T(w)itter Takeover News” echoed the company’s comments about phone number-based 2FA being abused by scammers. The account tweeted that, “Twitter changed its policy… regarding SMS-based 2FA because Telcos used bot accounts to pump 2FA SMS. They lost $60 million a year on text scams. Soon after, Elon Musk’s Twitter account replied, “Yup.”
Musk has long said he is at war with Twitter bots, but struggles to separate legitimate bots from malicious ones. Meanwhile, Twitter’s text messaging two-factor mechanism had glitches and reliability issues in mid-November amid chaos within the company during the early days of Musk’s leadership.
Eliminating the two-factor SMS “could very incrementally reduce Twitter’s costs by not requiring Twitter to pay a telecom provider a fraction of a cent to send those text messages,” says Fenton. But he adds that the cost savings are likely to be extremely small.
Fenton also notes that the move would make more sense if Twitter also announced support for the new authentication mechanism known as “passkeys” that tech giants are increasingly using as a way to reduce users’ reliance on passwords. “Twitter would actually say they’re replacing a new authentication method that also doesn’t require buying a hardware security key,” says Fenton. “But the Twitter Blue exception still wouldn’t make sense.”
As the situation plays out, the big question is whether any of it will result in stronger security for Twitter users’ accounts.
“I don’t think we really know if this is going to push people to go ahead and get an authenticator app or if a lot of people will just stop using 2FA,” says Carnegie Mellon’s Cranor. “In general, two-factor authentication is not widely adopted by users unless they are forced to use it. I think a lot of other companies will look into whether banning SMS 2FA is a good idea or not.”
Whether Twitter will be transparent about the impact of the changes and release updated stats is another question.
Leave a Reply