Twitter removes two-factor authentication (2FA) from text messages for non-followers

Twitter has announced that only users of Twitter Blue, the platform's premium subscription, will have access to two-factor authentication (2FA) via SMS from March 20. The move has raised concerns about Twitter's account security, as 2FA allows users to add an extra layer of security to their online accounts beyond passwords. SMS 2FA users who are not subscribed to Twitter Blue received an in-app alert asking them to remove the method before the deadline to avoid losing access to their account.

The reasons for removing SMS authentication

According to Elon Musk, owner and CEO of Twitter, the removal of SMS authentication is due to the high costs that Twitter has to bear for this method. Musk tweeted that Twitter had been "scammed" by phone companies and was paying more than $60m (£49m) a year for "fake 2FA SMS messages". It also said its authenticator app, which would remain free, was more secure.

Security experts and user concern

Some security experts have warned that SMS authentication can be less secure than other methods, like authenticator apps, but it's remained popular because it's easy to use. Rachel Tobac, a security expert, tweeted that Twitter's decision was "scary" and that the automatic removal of SMS 2FA users who are not Twitter Blue subscribers put them at risk. She cited a July 2022 Twitter report showing that only 2,6% of active Twitter accounts had 2FA enabled between July 2021 and December 2021, but of those, 74,4% were using the SMS method.

Professor Alan Woodward, from the University of Surrey, said he would rather people use something than nothing, which might just be what the less tech-savvy are tempted to do. He also said that Musk's decision to effectively discourage 2FA for many users seemed like a terribly myopic false economy.

Alternatives to SMS authentication

Twitter recommends SMS 2FA users who are not Twitter Blue subscribers consider using an authenticator app or passkey method instead. These methods require users to have physical possession of the authentication method and are a great way to ensure their account is secure. However, these methods can be more complex to use than SMS authentication.

In conclusion, the removal of SMS authentication for non-Twitter Blue followers raised concerns about account security. Twitter, as this method is easy to use and remains popular despite concerns about its security. Twitter's decision to only offer SMS authentication to Twitter Blue subscribers was driven by high costs and abuse of this method by "bad actors" on the Twitter blog.

SMS 2FA users who are not Twitter Blue subscribers are recommended to use an authenticator app or passkey method instead. Although these methods can be more complex to use than SMS authentication, they provide increased security and are less likely to be compromised.

Twitter's decision to remove SMS authentication raises broader questions about online security and companies' responsibilities to protect their users' data. Users should be aware of the risks of using less secure security methods and take steps to protect their online accounts. Companies, on the other hand, need to take steps to ensure the security of their users' accounts and ensure that the security methods offered are accessible to everyone, regardless of their ability to pay for a premium subscription.