Twitter is changing again: The Elon Musk-owned social network has announced that, starting now, securing accounts with text-based two-factor authentication (2FA) will be an option exclusive to paid Twitter Blue users.
according to blog post (opens in a new tab) To explain the change, you won’t be able to set up 2FA via text message after March 30 unless you pay for Twitter Blue. If you currently use this method to secure access to your account, you have 30 days to subscribe to Twitter Blue or switch to a different 2FA method, such as an authenticator app or security key.
“We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method,” Twitter said in its statement. “These methods require you to actually have an authentication method and are a great way to keep your account secure.”
Beginning March 20, 2023, only Twitter Blue subscribers will be able to use SMS as their two-factor authentication method. Other accounts can do 2FA with an authentication app or security key. Learn more here: https://t.co/wnT9Vuwh5nFebruary 18, 2023
pay or switch
In its blog post, Twitter cited abuse of the SMS 2FA system by “bad actors” as one of the reasons behind the switch.from Elon Musk’s tweet (opens in a new tab)it appears that Twitter has also lost a significant amount of money from bot accounts abusing the SMS 2FA method.
Now, if you want to stick with setting up Twitter with SMS on your new device, you’ll need to pay for the privilege. Twitter Blue costs $8 per month, or $11 per month if you sign up via Android or iOS, and is available year-round for $84. Among other benefits, you can edit tweets and undo tweets.
While this may not be the worst change Twitter has seen under Musk, the move has sparked considerable outrage — on Twitter, of course — from those who see it as one of the most critical security measures to come. One placed behind a paywall.
Analysis: Set up two-factor authentication, install an app
Two-factor authentication is definitely something you should be setting up on Twitter and everywhere else (That’s it (opens in a new tab)): It adds an extra level of protection, meaning something other than a username and password is required to log into your account on an unknown device (details that can be tricked or actually leaked online).
“Something else” could be a text message sent to your phone, but at this stage text messages are the weakest option for 2FA.Text messages can be intercepted and redirected, it is best to install a free app on your phone to generate verification codes – available are authenticator (opens in a new tab) from Google and authorized (opens in a new tab).
The weakness of SMS 2FA begs the question of why Twitter hasn’t dropped it entirely — but there still seem to be users who really need the feature. It’s unclear how big this group is, but anyone still in it will now have to pay for the privilege of sending 2FA codes via text message.
One of the risks here is that SMS 2FA users who don’t want to pay will turn off 2FA entirely – a practice we definitely would not recommend. To keep your account as secure as possible, set up 2FA and use the mobile app as your authentication method, whether you subscribe to Twitter Blue or not.
