Late on Friday, Twitter announced a new policy that will remove text message two-factor authentication (2FA) from any account that won’t pay for it.
In a blog post, Twitter said that it will only allow accounts that subscribe to its premium Twitter Blue feature to use text message-based 2FA. Twitter users that don’t switch to a different type of two-factor authentication will have the feature removed from their accounts by March 20.
That means that anyone who relies on Twitter sending a text message code to their phone to log in will have their 2FA switched off, allowing anyone to access their accounts with just a password. If you have an easily guessable Twitter password or use that same password on another site or service, you should take action sooner rather than later.
Twitter claims it is “committed to keeping people safe and secure on Twitter.” This is not true. Instead, you’re looking at one of the stupidest security decisions made by a company playing out in real time.
It’s not clear for what reason this new 2FA policy, first revealed by Platformer’s Zoë Schiffer and later confirmed by Twitter, was instituted. Since Elon Musk’s $44 billion takeover, Twitter has been hemorrhaging cash and employees. It’s likely that the move to eliminate SMS 2FA was to save the company money, given sending text messages isn’t cheap. We’d ask Twitter for comment, but Musk fired its entire communications team.
Twitter justified the decision in its blog post, saying SMS 2FA can be abused by bad actors. This might refer to SIM swap attacks, where a hacker convinces your cell provider to assign a victim’s phone number to a device controlled by the hacker. By taking control of a person’s phone number, the hacker can impersonate the victim — as well as receive text message codes that can allow the hacker access to a victim’s online accounts. But making SMS 2FA available to only Twitter Blue subscribers doesn’t make paying users any more protected from SIM swap attacks. If anything, by encouraging paid users to rely on SMS 2FA, their Twitter accounts are more prone to takeovers if their phone number is hijacked.
That all being said — and this is important — SMS 2FA still provides far greater protections for your accounts than not using 2FA at all. But Twitter’s new policy is not the way to encourage users to use a more secure 2FA. In fact, companies like Mailchimp take the opposite (but correct) approach by encouraging users to switch on 2FA by discounting customers’ monthly bills.
The silver lining — if we can call it that — is that Twitter isn’t scrapping 2FA altogether. You can still protect your account with strong 2FA without paying Elon Musk a dime.
Regardless of whether or not you have abandoned your Twitter account in favor of alternative, decentralized services like Mastodon and others, you will still want to take action before March 20 to secure your account in the event that someone breaks in and starts tweeting on your behalf.
Instead of using 2FA codes sent by text message, you need app-based 2FA, which is far more secure and is as fast as receiving a text message. (Many online sites, services and apps also offer app-based 2FA.) Instead of having a code sent to your phone by text message, you can generate a code through an authenticator app on your phone — like Duo, Authy or Google Authenticator to name a few. This is so much more secure as the code never leaves your device.
To set this up, first make sure you have your authenticator app installed on your phone. Go to your Twitter account, then go to Settings and privacy, then Security and account access, then Security. Once you’re on the Two-factor authentication settings, select Authentication app. Follow the prompts carefully — you may have to enter your account password to get started. Once you’re done, you will be able to log in using your password, then a code generated from your authenticator app.
Remember, this is a far more secure way of accessing your Twitter account, which means if you lose your phone it can be very difficult to get back into your account. That’s why you should keep a record of your backup codes, which allow you to gain access to your account if you are locked out, safely stored in your password manager. You can find your backup codes in the same place you set up your app-based 2FA.
How two-factor authentication can protect you from account hacks
Comment