Twitter's text-based two-factor authentication becomes a paid-only feature

By Malcolm Owen

Twitter is going to make text-based two-factor authentication a feature of the Twitter Blue subscription, a change that can affect the security of millions of users.

Twitter's logo

In a company blog post from Wednesday that was highlighted by the micro-blogging service in a Friday tweet, Twitter is changing how it handles two-factor authentication. Specifically, that one method will be limited only to paid users.

Securing the account is usually handled by three two-factor authentication systems, consisting of text messages, using an authentication app, or a security key. While the latter two will be staying as they are, the SMS authentication option is being turned into a benefit for Twitter Blue subscribers.

In a blog post, Twitter cites how text-based 2FA can "be used - and abused - by bad actors," and that as of Wednesday, it isn't allowing accounts to enroll in SMS 2FA, unless they are Twitter Blue subscribers.

For existing SMS-based 2FA users who aren't using Twitter Blue, they will have until March 20 to disable it and to use one of the other methods. After March 20, non-Twitter Blue subscribers won't be able to use text-based 2FA, with such accounts having 2FA disabled automatically.

"We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead," writes Twitter. "These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure."

The removal of text-based two-factor authentication is the latest policy change for Twitter in its months-long management by Elon Musk. Other changes have included increasing the character limit on Twitter Blue to 4,000, attempts to introduce a new paid API, and a temporary blocking of links to other social platforms.