
Twitter announced Friday that starting March 20, users will be able to secure their accounts with SMS-based two-factor authentication only if they have paid for a Twitter Blue subscription. Two-factor authentication (2FA) requires users to log in with a username and password, then use an additional “factor” such as a numeric code. Security experts have long advised using generator apps to obtain these codes. But SMS text receiving them in her messages is a popular alternative, so removing that option for free users has left security experts scratching their heads.
Twitter’s two-factor move is the latest in a string of controversial policy changes since Elon Musk acquired the company last year. A paid service, Twitter Blue (currently the only way to get a blue verified checkmark on your Twitter account) costs $11 a month for Android and iOS, or less for desktop-only subscriptions. Users launched from SMS-based two-factor authentication have the option to switch to an authenticator app or physical security key.

“Historically a popular form of 2FA, we have unfortunately seen phone number-based 2FA abused and abused,” Twitter wrote. blog post Published Friday night. “So, starting today, we will no longer allow your account to register for her 2FA text message/SMS method unless you are a Twitter Blue subscriber.”
of July 2022 Report on Account Security, Twitter said only 2.6% of active users have enabled any kind of two-factor authentication. Of those users, nearly 75% used her SMS version. Nearly 29% used an authenticator app and less than 1% added a physical authentication key.
SMS-based two-factor authentication is insecure because attackers can hijack the target’s phone number or use other techniques to intercept the text. However, security experts have stressed that using SMS two-factor is far better than not enabling a second authentication factor.
Tech giants such as Apple and Google are deprecating SMS two-factor authentication options and moving users (usually over months or years) to other forms of authentication. Researchers are concerned that Twitter’s policy changes will take users much less time to complete the transition, confusing users as two-factor SMS looks like a premium feature.
“The Twitter blog points out that two-factor authentication using text messages is frequently abused by bad actors. We agree that it is less secure than other 2FA methods,” said said Lorrie Cranor, director of the Usable Privacy and Security Lab at Carnegie Mellon University. “But if their motivation is security, they want to keep their paying accounts safe too, right?