Twitter announced this yesterday that starting March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a number code. Security experts have long advised that people use a generator app to get these codes. But receiving text messages is a popular alternative, so removing that option for unpaid users is leaving security experts scratching their heads.
Twitter’s bipartisan move is the latest in a string of controversial policy changes since Elon Musk took over the company last year. The paid service Twitter Blue — the only way to get a blue verified tick on Twitter accounts right now — costs $11 a month on Android and iOS and less for a desktop-only plan. Users booted with SMS-based two-factor authentication have the option to switch to an authenticator app or a physical security key.
“While historically a popular form of 2FA, we’ve unfortunately seen phone number-based 2FA used — and abused — by bad actors,” Twitter wrote in a statement. blog post appeared Friday evening. “So starting today, we will no longer allow accounts to enroll in the SMS/SMS method of 2FA unless they are Twitter Blue subscribers.”
In a July 2022 report on account security, Twitter said only 2.6 percent of its active users have any form of two-factor authentication enabled. Of those users, nearly 75 percent used the SMS version. Nearly 29 percent used authentication apps and less than 1 percent added a physical authentication key.
SMS-based two-factor authentication is insecure because attackers can hijack targets’ phone numbers or use other techniques to intercept the texts. But security experts have long emphasized that using two-factor SMS is significantly better than not having a second factor of authentication enabled.
Increasingly, tech giants such as Apple and Google have eliminated the two-factor SMS option and users have moved (usually over many months or years) to other forms of authentication. Researchers worry that Twitter’s policy change will confuse users by giving them so little time to complete the transition and by making SMS two-factor seem like a premium feature.
“The Twitter blog rightly points out that two-factor authentication using text messages is often misused by malicious parties. I agree that it is less secure than other 2FA methods,” said Lorrie Cranor, director of Carnegie Mellon’s Useful Privacy and Security Laboratory. “But if security is their motivation, wouldn’t they also want to keep paid accounts safe? It makes no sense to allow the less secure method only for paid accounts.”
While the company says the two-factor changes will roll out in mid-March, Twitter users with SMS two-factor enabled on Friday began encountering a pop-up overlay screen advising them to remove two-factor completely or switch to ” the authentication app or security key methods.
It’s unclear what will happen if users don’t disable SMS two-factor before the new deadline. The in-app message to users means that people who still have SMS two-factor enabled when the change officially takes place on March 20 will no longer be able to access their accounts. “To avoid losing access to Twitter, please remove two-factor authentication by SMS before March 19, 2023,” the notice reads. But Twitter’s blog post says two-factor will simply be disabled on March 20 if users don’t adjust it before then. “After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that time, accounts with text message 2FA that are still enabled will be disabled.”