Twitter to disable SMS 2FA for free customers

You're not safe and you'll pay for the privilege

Twitter to disable SMS 2FA for free customers

Twitter has announced plans to kill off SMS-based two-factor authentication for everyone - except its paying Twitter Blue subscribers.

After 20th March, only those paying $8 a month for the privilege of a blue tick next to their name will be able to authenticate their Twitter logins via text message.

Twitter is, however, retaining 2FA methods using an either an authentication app or security key.

The company, which Elon Musk took over late last year, says it is "committed to keeping people safe and secure" online, which is why it is moving away from phone number-based 2FA.

"While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors."

Twitter is not the first company to realise the vulnerability of SMS-based system: Reddit moved to token-based authentication after a hack in 2018.

What differentiates Twitter's move is that although it has acknowledged the lack of security around phone number authentication, it will continue to offer it to its paying customers rather than moving everyone to a more secure system.

This may be because SMS authentication is historically the most popular form of 2FA, requiring no extra steps like app downloads or physical tokens.

Non-Blue subscribers will have until 20th March to disable SMS 2FA themselves and move to a different method. If they don't, Twitter will simply disable 2FA on their accounts.

How to change authentication methods on Twitter

Two-factor authentication keeps users safe by adding an additional step when logging in to online services.

After entering your password as normal, when using 2FA you'll also be asked for another piece of information: normally a one-time use code generated by a software or hardware-based token.

Although Twitter is disabling the popular SMS 2FA, swapping to a different system is relatively easy.

Image
A screenshot of Twitter's authentication menu
Description
Image: Computing

There are two alternatives to SMS 2FA: either an app like Google Authenticator, Authy or LastPass, or a physical token like Yubikey.

Once you've decided which you want to use and have the app or token, open Twitter.

  1. Click the three dots (...) on the left of your screen on Twitter's website, or hit your profile icon in the top left.
  2. Go to Settings and Support > Settings and privacy.
  3. Choose Security and account access > Security > Two-factor authentication.
  4. Choose your preferred method of two-factor authentication and enter your password if requested.
    1. If using an app, you will need to scan a QR code or enter a code from the app.
    2. If using a physical token you will need to link it via USB, Bluetooth or NFC.

Computing says:

This is a move obviously aimed at making money - as several of Twitter's recent decisions have been - but like those, comes off as both short-sighted and bad for users.

While some customers might switch to a different authentication method, many will likely ignore the change and leave their accounts wide open.

One market stakeholder - Andy Kays, CEO of Socura - said Twitter's move was "Christmas come early for fraudsters."

Twitter's argument that phone number-based 2FA is insecure also makes little sense, as the company is leaving it in place for paying subscribers.

If the firm was really worried about security, it would have removed SMS 2FA for everybody - not only free customers.