How to Protect Yourself from Twitter’s 2FA Crackdown

The latest bizarre Elon Musk’s Twitter ownership move weakens the security of millions of accounts. On Feb. 17, Twitter announced plans to block people from using SMS-based two-factor authentication to secure their accounts unless they start paying for a Twitter Blue subscription. However, there are safer, free, and easier ways to continue protecting your Twitter account with two-factor authentication.

Two-factor authentication, also known as 2FA or multi-factor authentication, is one of the most effective ways to protect your online accounts from hacker attacks. When you log into a website, app, or service, 2FA prompts you to log in with your username and password, and then uses other information to verify that the login is authentic. Most often, this involves entering a temporary code that is generated or sent to you in real time.

This second piece of information helps prove that the person signing up is actually you. While billions of passwords have been compromised online, the 2FA code is often sent to or created by the device in your pocket. Having any type of two-factor authentication enabled is better than none. However, it’s not entirely foolproof. For years, security researchers have warned that SMS-based two-factor authentication isn’t as secure as other 2FA options.

That’s because SIM swapping attacks, where attackers’ phone numbers are compromised, allow criminals to access 2FA messages and break into accounts. Simply put, using another 2FA option, even if it’s a little less convenient, is your best option.

In its announcement, Twitter said people have 30 days to disable SMS-based 2FA and switch to another option. It said the system had been abused by “evil actors” in the past. On March 20, Twitter will “disable” the use of text messaging for two-factor authentication — unless you pay for the privilege. Before that date, people were already seeing pop-ups asking them to remove two-factor authentication for text messages.

However, Twitter’s announcement has stunned, confused and angered security researchers. They say removing SMS-based 2FA just for people not paying for Twitter Blue makes no sense and will weaken people’s security unless they switch to another 2FA option. Here’s what you should do to keep your account safe.

Use an authenticator app or security key

Instead of disabling 2FA on your Twitter account, there are two better options: authenticator apps and security keys. Both work on the same principles as SMS-based 2FA. To activate any of these alternatives, you must visit Twitter, open its Settings and PrivacyThen Security and Account Access, Securityand finally Two-factor authentication. (Or Just click here when you are logged in). Here you have the option of using two-factor authentication via an app or using security keys.

Instead of texting your six-digit authentication code, authenticator apps constantly generate the codes themselves and sync them with the services you use. Authenticator apps list all the websites you’ve registered with and show the codes you need to enter to log in. These codes are updated every 30 seconds. Any time you need to log into a website or app, instead of waiting for a text message, visit the authenticator app after entering your username and password to receive the authentication code. (This is especially helpful if your phone isn’t connected for some reason.)