Twitter announced yesterday as of March 20th, it will only allow users to secure their accounts with SMS messages two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password, followed by an additional “factor,” such as a code. Security experts have long advised people to use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for non-paying users has left security experts scratching their heads.
Twitter’s two-factor move is the latest in a series of controversial policy changes since Elon Musk bought the company last year. Paid service Twitter Blue—the only way to get a verified blue check mark on a Twitter account these days—is $11 per month on Android and iOS and less for desktop-only subscriptions to table. Users with SMS-based two-factor authentication disabled will have the option to switch to an authenticator app or a physical security key.
“While formerly a common form of 2FA, we’ve unfortunately seen phone number-based 2FA used — and abused — by bad actors,” Twitter wrote in a statement. blog post published on Friday night. “So starting today, we will no longer allow accounts to sign up for 2FA by text/SMS unless they are a Twitter Blue subscriber.”
IN July 2022 report on account security, Twitter says that only 2.6% of its active users have any type of two-factor authentication enabled. Of those users, almost 75% are using the SMS version. Nearly 29 percent are using authentication apps, and less than 1 percent have added a physical authentication key.
SMS-based two-factor authentication is not secure as an attacker can hijack the target’s phone number or use other techniques to intercept messages. But security experts have long emphasized that using two-factor SMS is significantly better than not enabling second-factor authentication.
Increasingly, tech giants like Apple and Google have removed the two-factor SMS option and switched users (often for months or years) to other forms of authentication. The researchers worry that Twitter’s policy change will confuse users by giving them too little time to complete the transition and make two-factor SMS seem like a premium feature.
“The Twitter blog is right to point out that two-factor authentication using text messages is often abused by bad actors. I agree that it is less secure than other 2FA methods,” said Lorrie Cranor, director of Carnegie Mellon’s available security and privacy lab. “But if their motivation is security, do they want to keep premium accounts safe? It doesn’t make sense to just allow the less secure method for premium accounts.”
While the company says its changes to the two-factor feature will be rolling out in mid-March, Twitter users who have the SMS two-factor feature enabled have already started experiencing pop-up overlay screens. on Friday advised them to either remove the two-factor feature entirely or switch to an “authentication app or secure key method.”
It’s not clear what will happen if users don’t turn off two-factor SMS by the new deadline. The in-app message to users implies that those who still had two-factor SMS enabled when the change officially took place on March 20th will be locked out of their accounts. “To avoid losing access to Twitter, remove two-factor authentication by text message by March 19, 2023,” the announcement said. But Twitter’s blog post says that the two elements will be disabled on March 20 if users don’t adjust it by then. “After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that point, accounts that still have 2FA text messaging enabled will be disabled.”
