Twitter has come up with a new change that is not appreciated by many. This platform has turned off two-factor authentication (2FA) through SMS for free users. It has become a part of the Twitter Blue subscription. Users on this platform need to pay for a Twitter Blue subscription if they want to get sign-in codes via SMS.
Twitter 2FA via SMS Will Now Be a Paid Feature
Two-factor authentication is a primary tool offered by Twitter to keep users’ accounts secure. Now, entering a password does not let you log in to your account, as you need to use a security key or enter a code. Thus, it ensures that only you have access to your account. The company has provided three methods of 2FA to date, including text messages, authentication apps, and security keys.
As of March 20, Twitter lets its users secure their accounts with the 2FA. Users need to put their username and password to log in. After that, they will require a numeric code which is an additional factor. Security experts say a generator app is used to get such codes. However, alternatively these codes can be got in SMS text messages. As Twitter removed the option for unpaid users, the security experts started scratching their heads.
Since Twitter was owned last year by Elon Musk, this two-factor move is the latest in the controversial policy changes’ series. You should know that users can get a blue verified checkmark on their accounts only through the paid service Twitter Blue. While it costs $11 each month on Android & iOS, it is less for a desktop-only subscription. As a Twitter user, if you are booted off of this new feature, you can get an option enabling you to switch to a physical security key or an authenticator app.
Twitter Makes 2FA Exclusive to Blue Users:
The company won’t allow non-Blue users to enable 2FA via SMS. It works as an extra security. This one is now a paid feature of the Twitter Blue features, including the ‘prestigious’ blue tick.
Twitter does not have any reason to explain why the change happens suddenly. It is revealed that people used the feature for malicious activities. That’s why the company decided to disable the feature to prevent occurrences in the future. However, nothing was there to support the claim.
The company said in a blog post that people also use phone-number-based 2FA. That’s why until someone becomes a Twitter Blue subscriber, they can’t access their accounts. According to the July 2022 report about account security, the company said that only 2.6% of active users had enabled two-factor authentication. About 75% of users were using the SMS version. Hackers may hijack any specific user’s Phone number whom they targeted or use other techniques to intercept the texts.
Apple, Google, and other tech giants have eliminated the option for transitioning & SMS two-factor users to other forms of authentication. Researchers worry that users might not have enough time to complete the transition because of Twitter’s policy change and make the SMS two-factor feature like a premium one.
What did Lorrie Cranor say about 2FA via SMS ?
Lorrie Cranor, director of Carnegie Mellon’s usable privacy and security lab, said that the two-factor authentication, which uses text messages, has a risk of being hacked. Therefore, it is less secure than other 2FA methods.
Although Twitter says that the change will roll out in mid-March, a pop-up overlay display started appearing to the users who have already enabled SMS two-factor. They are advised to remove two-factor entirely. Otherwise, they can start using an authentication app or security key methods.
We still don’t know what could happen when users don’t disable the feature by the new deadline. The in-app message to users means that their accounts will be locked if they don’t turn on the feature when the change officially happens on March 20. According to the notification, users must remove the text-message two-factor authentication by March 19, 2023, to keep accessing their devices. But according to Twitter’s blog post, it will be disabled on March 20 if any user has not adjusted it before then. The company said that they would not allow non–Twitter Blue subscribers to continue using text messages as a 2FA method after 20 March 2023.
Twitter did not still answer the question of what will happen to accounts where the feature is still enabled on March 20. They also didn’t say anything regarding the policy change resulting in any loss of two-factor adoption on the platform.
Musk said that he is against Twitter bots but faces struggles when he goes to separate legitimate bots from malicious ones. Meanwhile, reliability was faced by Twitter’s SMS two-factor mechanism in mid-November when Elon just took the leadership.
However, it is seen that bad actors have used and abused the phone number based- 2FA. Therefore, the authorities decided that except the twitter blue subscribers, other accounts will no longer be permitted to enroll in the text message or sms method. If you are one of the Non-Twitter Blue subscribers enrolled already, you will get thirty days to disable it. The company won’t allow Non-Twitter Blue subscribers after 20 March 2023 to use text messages as a 2FA method.
Frequently Asked Questions:
- Is email better than SMS for 2FA?
Suppose someone compromises your email inbox, they may get all online accounts with the help of the 2FA codes. As attackers need to access the target’s mobile, SMS is considered more secure.
- Is 2FA free or not?
You must download a free 2FA app on the PC or your mobile and install it thereafter. After that, you should use the app with a site supporting the authentication. At sign-in, you first need to enter your username and password. Once prompted, you can enter the code that the app displays.
- Can SMS 2FA be hacked?
Although SMS messaging appears as an ultra-secure method, it has been proven to be exploitable. However, it is not totally hack-proof.