Changes are afoot on Twitter too: Elon Musk’s social network has announced that securing accounts via SMS-based two-factor authentication (2FA) will be an exclusive option for paying Twitter Blue users from this point forward.
According to the blog entry (opens in new tab) To explain the change, you won’t be able to set up 2FA with SMS after March 30 unless you pay for Twitter Blue. If you’re currently using this method to protect access to your account, you have 30 days to either subscribe to Twitter Blue or switch to a different 2FA method, such as . B. an authenticator app or a security key.
“We encourage non-Twitter Blue subscribers to use an authenticator app or security key method instead,” Twitter’s statement said. “These methods require you to physically own the authentication method and are a great way to ensure your account is secure.”
As of March 20, 2023, only Twitter Blue subscribers can use text messaging as a two-factor authentication method. Other accounts can use an authenticator app or security key for 2FA. Learn more here: https://t.co/wnT9Vuwh5nFebruary 18, 2023
Pay or change
In its blog post, Twitter cites the abuse of the SMS 2FA system by “bad actors” as one of the reasons for the change. Out of an Elon Musk tweet (opens in new tab)it also appears that Twitter lost a significant amount of money from bot accounts that abused the SMS 2FA method.
Now, if you want to stick with SMS to set up Twitter on new devices, you’ll have to pay for the privilege. Twitter Blue costs $8 per month, or $11 per month if you sign up via Android or iOS, and it’s also available for a full year for $84. Among other things, you can edit tweets and unpost tweets.
While it might not be the worst change Twitter has seen under Musk’s leadership, the move has sparked a lot of anger — on Twitter, of course — from those who see it as one of the most important security measures behind a paywall.
Analysis: Set up two-factor authentication, install the app
Two-factor authentication is absolutely something you should set up on Twitter and everywhere else (here is how (opens in new tab)): It adds an extra layer of protection, meaning that besides a username and password, something else is required to log into your account on unknown devices (details that can be tricked or actually leaked out to you online).
That “something different” can be a text message sent to your phone, but at this stage, SMS is the weakest option for 2FA. Text messages can be intercepted and redirected, and it’s a much better idea to instead install a free app on your phone to generate an authentication code – among those available is Authenticator (opens in new tab) by Google and Authy (opens in new tab).
The weakness of SMS 2FA begs the question as to why Twitter didn’t just drop it altogether – but it seems there are still users who really need this functionality. It’s not clear how big this group is, but anyone who’s still in it now has to pay for the privilege of having their 2FA codes sent via SMS.
One of the risks of doing this is that SMS 2FA users who don’t want to pay will simply turn off 2FA completely – which we definitely wouldn’t recommend. To keep your account as secure as possible, set up 2FA and use a mobile app as your authentication method, whether you’re subscribed to Twitter Blue or not.