Twitter Posted An Update About 2FA Authentication

Twitter posted a product update titled: “An update on two-factor authentication using SMS on Twitter”. It was posted on Twitter’s blog on February 15, 2023. From the update:

“We continue to be committed to keeping people safe and secure on Twitter, and a primary security tool we offer to keep your account secure is two-factor authentication (2FA). Instead of entering a password to log in, 2FA requires you to also enter a code or use a security key. This additional step helps make sure that you, and only you, can access your account. To date, we have offered three methods of 2FA: text message, authentication app, and security key.

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.

“Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another. After 20 March 2033, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled. Disabling text message 2FA does not automatically disassociate your phone number from your Twitter account. If you would like to do so, instructions to update your account phone number are available on our Help Center.

“We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead. These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure.”

Engadget reported that Twitter users will soon have to use an authenticator app or a security key to be able to use two-factor authentication if they’re not a Blue subscriber. The website has made text-based 2FA an exclusive feature for members paying for the subscription service.

Engadget also reported that Twitter said it has come to the decision after seeing “phone-number based 2FA be used – and abused – by bad actors.” Some critics are doubting Twitter’s explanation, however, and speculating that the company’s real intention is to add SMS 2FA as one of the features it offers with its subscription service.

NBC News reported that Twitter owner Elon Musk tweeted “Yup” in reply to a user tweet that the company was changing policy “because Telcos Used Bot Accounts to Pump 2FA SMS,” and that the company was losing $60 million a year “on scam SMS”.

To my surprise, I actually agree with Elon Musk’s decision to remove the Twitter SMS in favor of having users seek out an authentication app. I’ve been using one for a while on Twitter (and other sites). As stated in the update, only you can access the 2FA app on your phone.

My only concern about this change is that it appears that those who pay for Twitter Blue will still have access to the Twitter SMS app. Based on the update, it sounds like that is actually less protection than what a 2FA app can provide.