Twitter announced yesterday that as of March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” like a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for unpaid users has left security experts scratching their heads.
Twitter’s two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.
“While historically a popular form of 2FA, unfortunately, we have seen phone-number based 2FA be used—and abused—by bad actors,” Twitter wrote in a blog post published yesterday evening. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”
In a July 2022 report about account security, Twitter said that only 2.6 percent of its active users have any type of two-factor authentication enabled. Of those users, nearly 75 percent were using the SMS version. Almost 29 percent were using authenticator apps and less than 1 percent had added a physical authentication key.
SMS-based two-factor authentication is insecure because attackers can hijack targets’ phone numbers or use other techniques to intercept the texts. But security experts have long emphasized that using SMS two-factor is significantly better than not having a second authentication factor enabled at all.
Increasingly, tech giants like Apple and Google have eliminated the option for SMS two-factor and transitioned users (typically over many months or years) to other forms of authentication. Researchers worry that Twitter’s policy change will confuse users by giving them so little time to complete the transition and making SMS two-factor seem like a premium feature.
“The Twitter blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. I agree that it is less secure than other 2FA methods,” says Lorrie Cranor, director of Carnegie Mellon’s usable privacy and security lab. “But if their motivation is security, wouldn’t they want to keep paid accounts secure too? It doesn’t make sense to allow the less secure method for paid accounts only.”
While the company says its changes to two-factor will roll out in mid-March, Twitter users with SMS two-factor turned on started encountering a pop-up overlay screen yesterday that advised them to remove two-factor entirely or switch to “the authentication app or security key methods.”
It is unclear what will happen if users do not disable SMS two-factor by the new deadline. The in-app message to users implies that people who still have SMS two-factor turned on when the change officially happens on March 20 will be locked out of their accounts. “To avoid losing access to Twitter, remove text message two-factor authentication by March 19, 2023,” the notification says. But Twitter’s blog post says that two-factor will simply be disabled on March 20 if users don’t adjust it before then. “After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that time, accounts with text message 2FA still enabled will have it disabled.”
Twitter did not return a request for comment about what will happen to accounts that still have SMS two-factor enabled on March 20. The company also did not answer questions about the possibility that the policy change will result in a significant loss of two-factor adoption on the platform.
“On the surface, this sounds like a good degree of concern for users’ safety, but if you pay for Twitter Blue—and are, therefore, a customer who is serious about your Twitter usage and who Twitter should care about the most—you can continue to use that less secure method of authentication. Huh?” says Jim Fenton, an independent identity privacy and security consultant. “And if you aren’t a Twitter Blue subscriber and they downgrade you to just password-based authentication, now they’ve fully taken something that’s purported to improve users’ security and done exactly the opposite.”
On Friday evening, the Twitter account “T(w)itter Takeover News” echoed the company’s comments about phone-number-based 2FA being abused by scammers. The account tweeted that, “Twitter changed its policies … regarding SMS based 2FA because Telcos Used Bot Accounts to Pump 2FA SMS. They were losing $60mn/yr on scam SMS.” Shortly after, Elon Musk’s Twitter account replied, “Yup.”
Musk has long said that he is in a war against Twitter bots, but has struggled to deal with separating legitimate bots from malicious ones. Meanwhile, Twitter’s SMS two-factor mechanism had outages and reliability problems in mid-November amidst chaos inside the company during the early days of Musk’s leadership.
Eliminating SMS two-factor “might very incrementally decrease Twitter’s costs by not requiring Twitter to pay some telco provider a fraction of a cent to send those SMS messages,” Fenton says. But he adds that the cost-savings would likely be extremely minor.
Fenton notes, too, that the move would make more sense if Twitter were also announcing support for the new authentication mechanism known as “passkeys” that tech giants have increasingly been adopting as a way to reduce user reliance on passwords. “Twitter would basically be saying that they’re substituting a new authentication method that also doesn’t require buying a hardware security key,” Fenton says. “But the Twitter Blue exception still wouldn’t make sense.”
As the situation plays out, the big question is whether any of it will result in stronger security for Twitter users’ accounts.
“I don’t think we really know whether this will nudge people to go ahead and get an authenticator app or whether a lot of people will just give up on 2FA,” Carnegie Mellon’s Cranor says. “In general, two-factor authentication is not widely adopted by users unless they are forced to use it. I think a lot of other companies will be watching to see whether disallowing text message 2FA is a good idea or not.”
Whether Twitter will be transparent about the impacts of the changes and release updated statistics is another question entirely.