Twitter has announced that it will remove text message two-factor Authentication (2FA) from any account that does not wish to pay for it. Twitter announced in a blog post that it would only allow accounts that subscribe to its premium Twitter Blue feature to use text message-based two-factor Authentication. The Twitter feature of two-factor Authentication will be removed from the accounts of users who do not switch to a different type by March 20 if they do not switch.
Despite Twitter’s claims to the contrary, it is not true that the company is “committed to keeping people safe and secure on Twitter.” It is one of the most stupid security decisions ever made by a corporation, which is being played out in real time. The result is that anyone who relies on Twitter sending a text message code to their phone to enable them to log in will have their two-factor Authentication turned off, allowing anyone to access their accounts with just a password. You should take action sooner rather than later if you have an easily guessable Twitter password or use the same password for another site or service.
Neither Twitter nor Platformer knows why this new 2FA policy was instituted. Since Elon Musk’s $44 billion takeover, Twitter has been bleeding cash and employees. Sending text messages isn’t cheap, so removing SMS 2FA probably saved the company money. Musk fired Twitter’s entire communications team. Twitter justified its decision by saying bad actors can misuse SMS 2FA. A hacker might use SIM swap attacks to assign a victim’s phone number to a device controlled by the hacker. Taking over a victim’s phone number allows a hacker to impersonate the victim and receive text message codes that give access to online accounts. Only Twitter Blue subscribers are protected from SIM swap attacks by SMS 2FA. In fact, by encouraging paid users to use SMS 2FA, Twitter accounts are more vulnerable to takeovers.
Still, SMS 2FA provides far greater protection for your accounts than not using it. Twitter’s new policy doesn’t encourage users to use a more secure 2FA. Companies like Mailchimp encourage users to switch on this Authentication by discounting their monthly bills. If we can call it a silver lining, Twitter isn’t scrapping this altogether. You can still protect your account without paying Elon Musk. If someone breaks in and tweets on your behalf, you will still need to take action before March 20, regardless of whether or not you have abandoned your Twitter account in favour of alternative, decentralized services like Mastodon and others.
It would help if you used app-based 2FA instead of text messages, which is more secure and faster than text messages. This Authentication is available on many online sites, services, and apps. Instead of receiving a code by text message, you can generate one through an authenticator app on your phone, such as Duo, Authy, or Google Authenticator. Codes never leave your device, so this is much safer. First, make sure you have your authenticator app installed. Select Settings and privacy, then Security and account access, then Security. Select the Authentication app once you’re on Two-factor authentication settings. You may need to enter your account password to get started.
Using your authenticator app, you can log in with your password and a code generated by your authenticator. Since this is a more secure way of accessing your Twitter account, if you lose your phone, it can be very hard to get back into it. Your password manager should store your backup codes, allowing you to access your account if locked out securely. You can find your backup codes when you set up your app-based 2FA.
