Crux: Twitter would begin charging for SMS two-factor authentication. But you don’t need to sign up for $8 a month to use free authentication apps. This article details the process of securing your Twitter account using free 2FA apps.
Twitter will now charge users for SMS-based two-factor authentication (2FA), the social media giant announced. From March 20, users who have not signed up for the Twitter Blue subscription service ($8 a month on Android; $11 a month on iOS) or switched to an authenticator app or physical security key, will no longer be able to use SMS-based 2FA.
Since the announcement, some users have already begun receiving pop-ups urging them to “remove text message two-factor authentication” before the deadline. Twitter has given users a 30-day window to make the switch.
Why? The move comes as part of an effort to crack down on abuse by “bad actors” who have taken advantage of the system in the past. Twitter said it “will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”
Effective March 20, 2023, only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method. Other accounts can use an authentication app or security key for 2FA. Learn more here:https://t.co/wnT9Vuwh5n
— Twitter Support (@TwitterSupport) February 18, 2023
What is 2FA?
Two-factor authentication, better known as 2FA, is one of the most effective security measures to protect your online accounts from being hacked. It commonly requires you to log in using a second authentication factor such as a security token, biometric data, or a one-time code sent to you in real time. The purpose of 2FA is to add an extra layer of security to prevent unauthorized access to online accounts.
Backlash after Twitter move
Twitter’s announcement has baffled and angered many. Security experts say removing SMS-based 2FA just for people who don’t pay for Twitter Blue doesn’t make any sense and will weaken security if they do not move to another 2FA option.
Many Twitter users shared screenshots of notifications reminding users to disable the security feature to “avoid losing access to Twitter.” People outside the U.S. have pointed out that Twitter Blue is not even available in some countries. Expressing outrage towards the rollback, one user described it as “paying extra fee for seat belts on the airplane”.
Following the criticism, Twitter’s owner Elon Musk, tweeted: “Use of free authentication apps for 2FA will remain free and are much more secure than SMS.”
Casey Ellis, the chief technology officer of Bugcrowd, a prominent security firm, agrees that Twitter’s concerns about the potential flaws in 2FA are indeed valid but said their proposed solution lacked clarity and effectiveness.
To be clear, two-factor authentication is still not required to log into Twitter, although we highly encourage users to enable it. This change just restricts the 2FA methods available for accounts not subscribed to Twitter Blue.
— Twitter Support (@TwitterSupport) February 18, 2023
What do experts suggest?
Security researchers have been sounding the alarm for years about the vulnerabilities of SMS-based 2FA. This is mainly due to the threat of SIM-swapping attacks, in which hackers compromise phone numbers and get access to 2FA messages and break into accounts. In 2019, this method was used by hackers to break into the Twitter account of the company’s former chief executive, Jack Dorsey.
While SMS-based 2FA may offer a quick and easy option for securing online accounts, experts recommend using alternate 2FA methods.
What are other free 2FA options for Twitter users?
There are multiple, free two-factor authentication apps and security keys available. These include:
Authy, Google Authenticator, and Microsoft Authenticator. There’s also Twilio’s Authy App and 1Password‘s authenticator service. iPhone users can use Apple’s built-in generator.
Authenticator apps provide a list of registered websites and codes for logging in that refresh every 30 seconds. Users enter their username and password, then retrieve the code from the app instead of waiting for a text message.
To enable 2FA on Twitter using Authy for instance, follow these steps:
- Log in to your Twitter account on the web.
- Click on the three dots icon (More) in the sidebar on left. More > Settings and Support > Settings and Privacy.
- Security and account access > Security > Two-factor authentication.
- Choose the Authentication app.
- Install Authy on your smartphone, then open the app and follow the prompts to set it up.
- Return to Twitter on the desktop site and scan the QR code displayed on the screen with Authy.
- Once scanned, Authy will automatically add Twitter to its list of accounts and generate a one-time code.
- Enter the one-time code provided by Authy into the Twitter prompt and click “Verify.”
- Once verified, Twitter will prompt you for a verification code each time you log in, which can be retrieved from the Authy app.