The latest twist in the Twitter tale since Elon Musk bought the company is one of the most worrying to date. In a truly bizarre move, which appears to put penny-pinching before account security, Twitter has announced it will limit the use of SMS-based two-factor authentication (2FA) to Twitter Blue subscribers from March 20.
Twitter disables SMS 2FA for the majority of users
In a notice posted to the Twitter help center’s two-factor authentication pages, Twitter states that “Effective 20 March 2023, we will no longer support two-factor authentication using text messages for non-Twitter Blue subscribers.” With as many as 368 million active monthly users, of which less than 300,000 are thought to subscribe to Twitter Blue, that leaves a huge number of people with potentially weakened account security.
Indeed, even if you are a Twitter Blue subscriber, that doesn’t mean you will necessarily still be able to use SMS-based 2FA. The announcement notice added that “the availability of text message 2FA for Twitter Blue may vary by country and carrier.”
But wait, there’s more Twitter security madness
Things get even odder when you realize that Elon Musk himself has tweeted that authentication apps are “much more secure than SMS.”
This would suggest that he’s offering Twitter Blue subscribers worse security in exchange for their money. The truth, however, is a lot more worrying. When it comes to SMS-based 2FA, “its widespread acceptance among the general population made it a security feature of huge value,” says Andy Kays, CEO of threat detection specialists Socura. This being despite the inherent flaws, which do, in fact, make it a less secure option than using either an authentication app or hardware security key as a second account authentication factor. “In the short term, the removal of 2FA could be harmful, especially among less tech-savvy social media users,” Kays warns, arguing that “most people will switch from using SMS 2FA to using no form of 2FA whatsoever.”
MORE FROM FORBESReddit Confirms It Was Hacked-Recommends Users Set Up 2FABy Davey Winder
Money likely the motive behind this move
The official reasoning behind the discontinuation of SMS 2FA for most users echoes the Musk tweet about it being less secure than authentication apps.
“Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another. After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method.”
Another, perhaps more pressing, reason is likely to be a financial one. I would have asked the Twitter press office for comment, but it doesn’t exist anymore which makes that quite difficult. However, it is known that there is a cost to using SMS to send 2FA text messages, just as it is known that Twitter has been losing money since the Musk takeover. After all, if weaker security was the reason behind the move, why leave your paying customers worse off, in security terms, than those using the service for free?
MORE FROM FORBESThis Is How Hackers Accessed 34,942 PayPal AccountsBy Davey Winder
Twitter security has just been weakened for nearly 368 million users
Whatever, the effect is simple: Twitter security has just been weakened for hundreds of millions of users. And that, dear reader, is never a good thing. In an ideal world, everyone would use a physical, hardware, authentication key. We do not live in an ideal world. Authenticator apps are a good second to physical keys, are free, and work well. But, for the average user, convenience trumps security. Which is why SMS-based 2FA is so popular. It’s ‘secure enough’ for the vast majority of use cases, and is preferable to no account 2FA at all. Without a second authentication factor, accounts become much easier to take over should passwords become compromised. Like many in the security space, I am left scratching my head over why this was thought to be a good move by whoever at Twitter signed it off.