Why it matters: Twitter has traditionally provided users three methods to secure accounts using two-factor authentication (2FA). One of the most popular, for both users and malicious actors alike, is the SMS-based 2FA option. Twitter is now making SMS-based authentication available exclusively to its Twitter Blue subscribers to curb the rising number of SMS-based 2FA exploits.
Twitter announced the change on its official blog earlier this week, citing its commitment to user security as the driving force behind the decision. According to the post and Twitter’s account security data, SMS-based 2FA-secured accounts are the most susceptible to unintentional access by malicious actors.
Effective March 20, 2023, only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method. Other accounts can use an authentication app or security key for 2FA. Learn more here:
— Twitter Support (@TwitterSupport) February 18, 2023
The removal of SMS-based 2FA on unpaid accounts went into effect at the time of the announcement on Wednesday, February 15th. Non-subscribers using SMS-based 2FA will have 30 days to disable the authentication method and enroll in one of the other available options. Failure to switch to any of the remaining free 2FA options will leave the account more vulnerable than those secured by other methods.
The decision was met with a mix of responses from Twitter’s user base. Some users have applauded Twitter’s move away from SMS-based 2FA, reiterating that it is a positive step in account security measures. Even some Musk detractors see the move as a favorable one.
As expected, there’s no shortage of feedback citing the move as an infringement on user rights or a pure cash grab by Twitter’s new CEO. Some negative feedback even goes as far as to inaccurately cite what the decision means, instead incorrectly stating that Twitter has removed all 2FA options for non-subscribers.
Twitter’s SMS woes aren’t exactly a new problem. In 2019 the social media giant suspended the ability to tweet via SMS after hackers got into former CEO Jack Dorsey’s profile. They gained access by exploiting Twitter’s Cloudhopper SMS service, then tweeted racially charged statements and antisemitic messages.
It’s unclear how a less-secure authentication method has become a paid feature of Twitter’s Blue subscription model to limit its use. Chances are some users will pay the price solely for the convenience of SMS-based authentication. Twitter users that do not wish to subscribe to Twitter Blue can find more information on available alternatives via Twitter’s Help Center.