Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Twitter's text-based two-factor authentication becomes a paid-only feature

Twitter is going to make text-based two-factor authentication a feature of the Twitter Blue subscription, a change that can affect the security of millions of users.

In a company blog post from Wednesday that was highlighted by the micro-blogging service in a Friday tweet, Twitter is changing how it handles two-factor authentication. Specifically, that one method will be limited only to paid users.

Securing the account is usually handled by three two-factor authentication systems, consisting of text messages, using an authentication app, or a security key. While the latter two will be staying as they are, the SMS authentication option is being turned into a benefit for Twitter Blue subscribers.

In a blog post, Twitter cites how text-based 2FA can "be used - and abused - by bad actors," and that as of Wednesday, it isn't allowing accounts to enroll in SMS 2FA, unless they are Twitter Blue subscribers.

For existing SMS-based 2FA users who aren't using Twitter Blue, they will have until March 20 to disable it and to use one of the other methods. After March 20, non-Twitter Blue subscribers won't be able to use text-based 2FA, with such accounts having 2FA disabled automatically.

"We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead," writes Twitter. "These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure."

The removal of text-based two-factor authentication is the latest policy change for Twitter in its months-long management by Elon Musk. Other changes have included increasing the character limit on Twitter Blue to 4,000, attempts to introduce a new paid API, and a temporary blocking of links to other social platforms.



15 Comments

ranson 15 Years · 91 comments

This is an interesting choice with somewhat dubious reasoning: pay us $8 for the continuing privilege of using the least secure MFA mechanism.

Most likely, the SMS's were too costly for Elon's liking, while Authenticator apps are both more secure and effectively free for Twitter to support. So from a financial perspective, it makes a lot of sense. From a security posture, forcing users off of SMS and over to an Authenticator app is a good long-term decision.

However, the outright disabling of nonconforming users' existing SMS MFA on March 20 is a terrible idea, as it will expose what is likely millions and millions of accounts to being compromised, should their passwords have been previously harvested. This will particularly impact users who rarely access Twitter anymore, if at all. A better approach here would be to retain the SMS MFA on those users indefinitely, but require them to explicitly disable MFA or switch to an Authenticator app the next time they access Twitter after 3/20. You should never just turn someone's MFA off without their explicit approval.

dewme 10 Years · 5775 comments

ranson said:
This is an interesting choice with somewhat dubious reasoning: pay us $8 for the continuing privilege of using the least secure MFA mechanism.

Most likely, the SMS's were too costly for Elon's liking, while Authenticator apps are both more secure and effectively free for Twitter to support. So from a financial perspective, it makes a lot of sense. From a security posture, forcing users off of SMS and over to an Authenticator app is a good long-term decision.

However, the outright disabling of nonconforming users' existing SMS MFA on March 20 is a terrible idea, as it will expose what is likely millions and millions of accounts to being compromised, should their passwords have been previously harvested. This will particularly impact users who rarely access Twitter anymore, if at all. A better approach here would be to retain the SMS MFA on those users indefinitely, but require them to explicitly disable MFA or switch to an Authenticator app the next time they access Twitter after 3/20. You should never just turn someone's MFA off without their explicit approval.

I suppose they could have provided an incentive for people to abandon the SMS method like some service providers do for paperless billing. That would be the carrot option. Instead they chose the stick. 


Whatever…

mark fearing 16 Years · 441 comments

Let Twitter die. Long goodbyes aren't good for anyone. 

22july2013 11 Years · 3736 comments

ranson said:
You should never just turn someone's MFA off without their explicit approval.

Usually I'm a "let the market decide" person rather than "regulate with new laws" person, but perhaps it should be illegal to go from 1FA to ZeroFA, so maybe it should also be illegal to go from 2FA to 1FA.

Anilu_777 8 Years · 579 comments

Twitter doesn’t seem to know its a$$ from a hole in the ground. I’m using it less and less and this mess continues.