Twitter’s doing a really good job of trying to push people towards Twitter Blue, the subscription service that costs $8 a month (or $11 on iOS) for a variety of perks and benefits. The latest “perk” announced for the service is SMS two-factor authentication.
Users who have SMS-based two-factor authentication enabled have until March 20 to either subscribe to Twitter Blue or choose a different version of authentication. Those that don’t have 2FA enabled will find that the SMS option is already locked behind the Twitter Blue paywall.
What is two-factor authentication?
Two-factor authentication, also known as 2FA is a security system that helps keep hackers and other bad actors out of your accounts — even if they have your password. So if a hacker has managed to obtain your password somehow, or it’s cracked by brute force, there’s another layer of security to make sure you’re the only person who has access to that account.
Think of 2FA like an airlock on a spaceship. Getting through the airlock means passing through two different doors every single time. In the event that one of those doors fails, there’s still an extra physical barrier between you and the cold harsh void of space.
The most common 2FA systems involve the user receiving a 6 to 8 digit code, and entering it during the login process. This code can be sent by email, SMS text message or via a dedicated authentication app. Other 2FA systems include approving login requests from a trusted device, usually your phone, or via the use of a physical USB security key that plugs into your device.
What’s happening over at Twitter?
According to Twitter’s blog post, the social network will disable two-factor authentication for any non-paying users that still rely on SMS authentication after March 20. Which would effectively compromise the security of those accounts.
This is rather an odd decision for a multitude of reasons. The main one isn’t that Twitter is trying to push people away from SMS 2FA, given its reputation for being incredibly insecure. Instead the explanation is that the system is abused by bad actors, and that fraud allegedly costs Twitter in excess of $60 million a year.
Twitter doesn’t have a lot of money right now, and has been aggressively trying to cut costs. To the point where the company has allegedly not been paying rent on its offices, and has already been involved in mass layoffs. It definitely hasn’t helped that advertisers, the main source of Twitter’s revenue, fled en masse thanks to a series of bizarre and controversial decisions.
Those decisions are reported to include lax content moderation policies, and issues over brand safety. Evidently, letting anyone with $8 verify their account as whichever person or brand they like is not good for business.
Needless to say the company has been pushing the premium Twitter Blue to try and make a dent in the lost revenue. Perks of subscribing include being able to “verify” your account with a blue tick, 50% fewer ads, early access to new features, tweet editing, more video upload options, and having your tweets prioritized in search results.
If bad actors really are defrauding Twitter by $60 million a year in this way, the obvious solution would be to scrap SMS-based 2FA in its entirety. Twitter wouldn’t be the only company to do so, and it would safeguard users from the various insecurities associated with sending authentication codes via SMS.
Not only is SMS messaging unencrypted and has as much security as a wet paper bag, using SMS 2FA is far too reliant on you maintaining control of your phone number. It is shockingly easy for bad actors to steal your phone number, either by SIM swap scams, phishing, or social engineering.
Once a hacker has control of your phone number, all your SMS 2FA protections might as well not be there.
In any case, account security isn't the kind of feature that should be locked behind a paywall. Especially not in a way that suggests the SMS 2FA option is some kind of premium perk that only paying customers deserve.
How to change your 2FA on Twitter
Log into your Twitter account and open the Settings and Support menu from the side bar, followed by Settings and privacy.
Tap Security and account access > Security.
Choose the two-factor authentication option.
Toggle off the Text Message option. Enter your password when prompted and agree to any prompts warning you about the dangers of not having 2FA.
Choose either Authentication app or Security Key if you have access to a physical USB security key.
Follow the on-screen instructions to set up your new 2FA system.