Twitter users that rely on text messaging 2FA to secure their accounts will have to come up with another option by March 20; unless the social media giant changes course, they’ll need to invest in either an authenticator app or a hardware key (or just go without an MFA layer of account security).
Citing bad faith billing by certain phone companies, Twitter is moving SMS 2FA to the paid “Twitter Blue” subscription service. This means a cost of at least $8 per month (and $11 for mobile app users, the vast majority of the customer base) to use a 2FA method widely considered to be on the weak side, but nevertheless widely accessible and something of a common courtesy by tech platforms for the sake of account security.
Imperfect account security method nevertheless commonly used, helpful in many use cases
SMS-based 2FA is looked down upon in security circles due to several available options for remotely circumventing it, such as phishing attacks and SIM swaps. But it is by far the most commonly used MFA method, and is particularly popular on Twitter. For an aware user that is not highly targeted by skilled hackers, it is a useful layer of account security that can help to stymie attempts that exploit password reuse or a data breach.
Elon Musk indicated that the primary motivation for the change is in cost savings on SMS spam. He pointed to certain unnamed overseas phone companies that use bots to generate reams of Twitter 2FA messages as a means of fraudulent billing of the company, which he claims costs about $60 million per year.
The change forces Twitter users to adopt 2FA methods that involve extra steps, and possibly extra cost. There are a number of free authenticator apps, but these will require the user to have a smartphone handy at every login. A hardware key adds a one-time purchase price and also forces the user to have it on hand whenever they want to access their account.
Unpopular Twitter Blue tier struggles to find its audience
Recent leaked internal information indicates that only about a quarter of a percent of Twitter users have paid for Twitter Blue. Moving SMS account security to the tier seems unlikely to inspire much more movement, given that people use it primarily as a free and convenient option; it seems much more likely that these users will just go without 2FA.
Other internal Twitter numbers bear out this theory: a mid-2022 study found that only 2.6% of its users have any kind of 2FA enabled, and of those 76% are using the SMS option. Authenticator apps may see a little more migration from the more security-minded, but hardware key manufacturers should not expect a windfall from this development; less than 1% of that very small population of 2FA users has one.
Much of the world will also be entirely out of luck until Twitter Blue reaches them. At present it is only available in a little over a dozen countries. Entire continents remain without access to it, with no firm dates set on when they can expect it to be rolled out.