If you’re currently using text-based two-factor authentication to secure your Twitter account — and if you’re also not forking over $8/month at the moment (if you’re on an Android device) to subscribe to Twitter Blue ($11/month for iOS users) — Twitter has confirmed that it will simply turn off your SMS-based authentication in very short order.
The app has begun sending out messages to that effect, stating that text-based two-factor authentication will only be available to Blue subscribers going forward after March 20. And, as part of that change, anyone who doesn’t subscribe to Blue before then will simply find that security setting disabled.
Twitter killing SMS two-factor authentication – unless you pay up
“You must remove text message two-factor authentication,” reads the message that the company has begun sending out to users that this affects. “Only Twitter Blue subscribers can use the text message two-factor authentication method. It’ll take just a few minutes to remove it. You can still use the authentication app and security key methods … To avoid losing access to Twitter, remove text message two-factor authentication by Mar. 19, 2023.”
In a company blog post further elaborating on the change, Twitter explains that SMS has always been the least secure form of this kind of user authentication. It’s certainly not that difficult for a sophisticated attacker to steal your phone number and then simply prove they’re you, rendering the SMS authentication useless. Even Twitter co-founder Jack Dorsey a few years ago found himself a victim of this very kind of attack.
The driving force behind all this is clearly a desire by Twitter to save money (the bill for sending out SMS messages quickly adds up), and cost-cutting is what the company’s new owner Elon Musk has been scrambling to do for months now — a move that’s also manifested itself in employee purges and trying to juice the app’s subscription revenue.
‘This is blackmail’
Still, putting a security feature behind a paywall for an advertising-supported service seems like among the least defensible changes in what’s been a chaotic first few months of Musk’s Twitter ownership. SocialProof Security CEO Rachel Tobac tweeted on Friday night that this is a particularly dicey move, because (according to Twitter’s own data) while only less than 3% of Twitter users have two-factor authentication turned on at all, 74% of those users have enabled SMS-based two-factor authentication.
“Twitter about to give hackers a huge gift … by *REMOVING text message authentication* for non-paying accounts,” tweeted John Scott-Railton, a senior research at The University of Toronto’s Citizen Lab. “Yes, there are better forms of #2FA. But this is blackmail. Expect waves of takeovers as hackers run through password dumps.”
In reference to Twitter’s blog post above which decries SMS authentication as vulnerable anyway, Bellingcat researcher Aric Toler tweeted his own thoughts about the move: “I love how their messaging here is: ‘SMS 2FA is absolute trash and shouldn’t be used — therefore, only our valued Twitter Blue customers are allowed to use it.'”