In yet another bizarre update, Twitter will now limit its SMS two-factor authentication to Twitter Blue users only. The company announced in a blog post that it would provide SMS-based two-factor authentication only to users who are subscribed to the $8-a-month service from March 20.
Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a numeric code. It is an extra layer of security so someone can’t hack your account in case you compromise your password. Most online services now either require or strongly recommend that people use 2FA on their accounts.
Twitter provides the option to receive these codes via SMS, which is the most popular method. Although experts suggest that using third-party apps such as Google Authenticator or Security Key is a much safer alternative. That’s because SIM-swapping attacks allow access to 2FA messages to break into accounts.
Disabling the free SMS authentication has left many confused. People who don’t pay for Twitter Blue have 30 days to turn off SMS-based 2FA and move to another option. Users can switch to third-party authenticator apps, which constantly generate the codes themselves instead of sending the codes via SMS. These are also convenient as they sync up with all the services you use. These codes refresh every 30 seconds. Another option is password apps that have their own authenticator services. iPhone users can also opt for Apple’s built-in generator. If you don’t want to use apps, using a security key is your best hardware option. It is a USB drive you can insert into your computer to authenticate yourself when logging into websites.
If non-subscriber accounts that use SMS authentication do not switch before the deadline, Twitter said it would disable two-factor authentication for that account.
A July 2022 transparency report shows that as of December 2021, just 2.6% of active Twitter accounts use two-factor authentication. 74.4% of those accounts use SMS as their method of authentication.
Musk claimed that fake two-factor authentication messages cost Twitter $60 million per year. He also backed up a tweet claiming that telecommunications companies with bot accounts were running the scams in order to profit from Twitter text messages.
Lord have mercy this guy called it pic.twitter.com/5iVGAiriC3
— Brandon Friedman (@BFriedmanDC) February 19, 2023
Critics argue that while Musk is correct about SMS authentication not being the best option, it is not the most successful money-making venture for scammers. The move has sparked concerns that it could lead to widespread hacks on accounts next month if they fail to switch over.