Twitter’s Two-Factor Authentication Change ‘Doesn’t Make Sense’

Twitter announced this yesterday that, starting March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password, and then an additional “factor” such as a numeric code. Security experts have long advised using a generator app to get these codes. But receiving it in SMS text messages is a popular alternative, so removing this option for unpaid users has caused security experts to scratch their heads.

Twitter’s two-factor move is the latest in a series of controversial policy changes since Elon Musk took over the company last year. The paid service Twitter Blue — the only way to get a blue verified tick on Twitter accounts now — costs $11 a month on Android and iOS, and less for a desktop-only subscription. Users booted from SMS-based two-factor authentication have the option to switch to an authenticator app or physical security key.

“While historically a popular form of 2FA, we have sadly seen phone number-based 2FA used – and abused – by bad actors,” Twitter wrote in a blog entry published last night. “Starting today, we will no longer allow accounts to opt-in to the text/SMS method of 2FA unless they are Twitter Blue subscribers.”

In a July 2022 report on account security, Twitter said that only 2.6 percent of its active users have some type of two-factor authentication enabled. Of these users, almost 75 percent used the SMS version. Almost 29 percent used authentication apps and less than 1 percent had added a physical authentication key.

SMS-based two-factor authentication is insecure because attackers can hijack targets’ phone numbers or use other techniques to intercept the texts. But security experts have long emphasized that using SMS Two Factor is significantly better than not enabling a second factor of authentication at all.

Tech giants like Apple and Google have progressively eliminated the option for SMS two-factor authentication, and have users (usually over many months or years) migrating to other forms of authentication. Researchers fear Twitter’s policy change will confuse users by giving them so little time to complete the transition and making SMS two-factor features appear like a premium feature.

“The Twitter blog rightly points out that two-factor authentication using text messaging is often abused by bad actors. I agree that it’s less secure than other 2FA methods,” says Lorrie Cranor, director of Carnegie Mellon’s Usable Privacy and Security Lab. “But if their motivation is security, wouldn’t they also want to keep paid accounts secure? It makes no sense to only allow the less secure method for paid accounts.”

While the company says its changes to two-factor will roll out in mid-March, Twitter users with SMS two-factor enabled encountered a pop-up overlay screen yesterday advising them to remove two-factor entirely or to “the authenticator app or security key methods.”

It’s unclear what will happen if users don’t disable SMS Two Factor by the new deadline. The in-app message to users implies that when the change officially takes place on March 20, people who still have SMS two-factor enabled will be banned from their accounts. “To maintain access to Twitter, remove two-factor authentication via SMS by March 19, 2023,” the notification reads. But Twitter’s blog post says Two-Factor will simply be disabled on March 20 if users don’t customize it before then. “After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use text messaging as a 2FA method,” the company wrote. “At this point it will be disabled for accounts that still have SMS 2FA enabled.”