Change to Twitter’s two-factor authentication

Change to Twitter’s two-factor authentication

San Francisco, 3/3/2023

Twitter announced that starting March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription.

Two-factor authentication, or 2FA, requires users to log in with a username and password and a numeric code. Security experts have long advised using a generator app to get these codes. But receiving it in SMS text messages is a popular alternative. Twitter explained:

„While historically a popular form of 2FA, sadly we have seen phone number-based 2FA used – and abused – by bad actors,“ Twitter wrote in a blog post published last night. „Starting today, we will no longer allow accounts to opt-in to the text/SMS method of 2FA unless they are Twitter Blue subscribers.“

Twitter’s two-factor move is the latest in a series of controversial policy changes since Elon Musk took over the company last year. The paid service Twitter Blue — the only way to get a blue verified tick on Twitter accounts now — costs $11 a month on Android and iOS, and less for a desktop-only subscription. Users booted from SMS-based two-factor authentication have the option to switch to an authenticator app or physical security key.

Apple and Google have also increasingly eliminated the option for SMS two-factor authentication and switched users to other forms of authentication. Researchers fear Twitter’s policy change will confuse users by giving them so little time to complete the transition and making SMS two-factor features appear like a premium feature.