Logging into the app with two-factor authentication (2FA) necessitates the usage of a second, independent means of proving the user’s identity beyond the password. Twitter users have the option of using a text message, an authentication app, or a security key to log in. Yet the firm has stated its belief that “bad actors” are abusing text-based 2FA. The business wrote on its blog, “While historically a popular form of 2FA, unfortunately, we have seen phone-number-based 2FA be used – and abused – by bad actors.

“So, starting today, we will no longer allow accounts to enrol in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.”

What happens to those not verified on Twitter?

Users who are not paying $8 per month for Twitter Blue “will have 30 days to disable this method and enrol in another,” the company wrote on a blog post to users who rely on text-based 2FA. Those who have 2FA activated but have not subscribed by March 20 will have it turned off. According to the firm, “We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead.

“These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure.”

Users were outraged by the decision. According to a tweet from Naimish Keswani, “Twitter is now putting the most random features behind a paywall.”

According to Citizen Lab researcher John Scott-Railton from the University of Toronto, this decision effectively “blackmails” people. His tweet read, “Yes, there are better forms of 2FA. But this is blackmail.

“Expect waves of takeovers as hackers run through password dumps. Text message authentication is not great and it needs to be evolved away from. But this is reckless.”

Why this new policy?

This new 2FA policy was initially reported by Platformer Zo Schiffer and confirmed by Twitter. However, the reasoning behind it remains unclear. Since Elon Musk purchased Twitter for $44bn, the company has been losing money and personnel at an alarming rate. As sending text messages is expensive, it is likely that cost savings motivated the decision to phase out SMS 2FA. Musk’s tweets appeared to confirm that the company was altering its policies in order to cut costs. He tweeted it was “because telcos used bot accounts to pump 2FA SMS,” and Twitter was haemorrhaging “$60m a year on scam SMS”.

Twitter’s blog post explaining the change in policy cited concerns that malicious actors could exploit SMS 2FA. One possible context for this is SIM swap attacks, in which a hacker persuades a victim’s cell phone provider to give the victim’s phone number to a device under the hacker’s control. By hijacking a victim’s phone number, hackers can pose as the victim and gain access to their online accounts by receiving codes via text message. However, limiting access to Twitter Blue subscribers only does not protect paying users against SIM swap attacks, even if they utilise SMS 2FA. Twitter accounts of paying users are even more vulnerable to hijacking in the event that their phone number is stolen because of Twitter’s promotion of SMS 2FA.

With that stated, and most importantly, using SMS 2FA is still a much better way to safeguard your accounts than not using 2FA at all. However, Twitter’s new policy is not a way to encourage people to switch to a more secure kind of two-factor authentication. Companies like Mailchimp, on the other hand, take the opposite (and proper) tack by offering monthly bill discounts to consumers who enable 2FA.

If there is any good news, it is that Twitter is keeping two-factor authentication around. Also, you can still protect your account with strong 2FA without paying Elon Musk a dime.

Even if you’ve moved on from Twitter in favour of a decentralised service like Mastodon or another similar platform, you should still take precautions to protect your account before March 20 to avoid having someone else tweet in your name.

How to protect your Twitter account

Anyone not interested in upgrading to Twitter Blue can still use 2FA if they so choose. You should switch to app-based 2FA instead of employing 2FA codes received via text message because it is more secure and can be implemented just as quickly. Several online resources also provide app-based 2FA. The use of authenticator apps like Duo, Authy, and Google Authenticator allows users to generate their own codes to enter in place of receiving them by text message. As the secret code never leaves your device, this is infinitely safer.

Experts claim that Google’s Authenticator app, which is compatible with iOS and Android and can be linked to Twitter, is more secure than SMS and is accessible at no cost to consumers. There is security against SIM card cloning as well with this approach.

Get your authenticator app on your phone before proceeding with the setup. Navigate to your Twitter account, then Settings and Privacy, then Security and Account access, and finally Security. Choose the Authentication app when you have arrived at the Two-factor authentication settings. To get started, you might need to enter your account password, so be sure to read and follow all instructions carefully. After that, you will be able to log in with your password and a code from your authenticator app.

Keep in mind that this is a far more secure method of accessing your Twitter account, but if you lose your phone, it might be very difficult to get back into your account. That is why it is important to maintain a copy of your recovery questions and answers in your password manager, in case you ever need to use them to get back into your account after being locked out. Your backup verification codes are stored in the same place as your app-based 2FA.