Malcolm Owen
Twitter is going to make text-based two-factor authentication a feature of the Twitter Blue subscription, a change that can affect the security of millions of users.
In a company blog post from Wednesday that was highlighted by the micro-blogging service in a Friday tweet, Twitter is changing how it handles two-factor authentication. Specifically, that one method will be limited only to paid users.
Securing the account is usually handled by three two-factor authentication systems, consisting of text messages, using an authentication app, or a security key. While the latter two will be staying as they are, the SMS authentication option is being turned into a benefit for Twitter Blue subscribers.
In a blog post, Twitter cites how text-based 2FA can "be used - and abused - by bad actors," and that as of Wednesday, it isn't allowing accounts to enroll in SMS 2FA, unless they are Twitter Blue subscribers.
For existing SMS-based 2FA users who aren't using Twitter Blue, they will have until March 20 to disable it and to use one of the other methods. After March 20, non-Twitter Blue subscribers won't be able to use text-based 2FA, with such accounts having 2FA disabled automatically.
"We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead," writes Twitter. "These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure."
The removal of text-based two-factor authentication is the latest policy change for Twitter in its months-long management by Elon Musk. Other changes have included increasing the character limit on Twitter Blue to 4,000, attempts to introduce a new paid API, and a temporary blocking of links to other social platforms.
Christine McKee
AppleInsider Staff
Chip Loder
William Gallagher
15 Comments
This is an interesting choice with somewhat dubious reasoning: pay us $8 for the continuing privilege of using the least secure MFA mechanism.
Most likely, the SMS's were too costly for Elon's liking, while Authenticator apps are both more secure and effectively free for Twitter to support. So from a financial perspective, it makes a lot of sense. From a security posture, forcing users off of SMS and over to an Authenticator app is a good long-term decision.
However, the outright disabling of nonconforming users' existing SMS MFA on March 20 is a terrible idea, as it will expose what is likely millions and millions of accounts to being compromised, should their passwords have been previously harvested. This will particularly impact users who rarely access Twitter anymore, if at all. A better approach here would be to retain the SMS MFA on those users indefinitely, but require them to explicitly disable MFA or switch to an Authenticator app the next time they access Twitter after 3/20. You should never just turn someone's MFA off without their explicit approval.
Let Twitter die. Long goodbyes aren't good for anyone.
Twitter doesn’t seem to know its a$$ from a hole in the ground. I’m using it less and less and this mess continues.