Twitter has announced that it will no longer support SMS two-factor authentication unless you pay for a Twitter Blue subscription. However, there are more secure options for multi-factor authentication, which we describe below.
In a blog post released this week, Twitter said that non-Twitter Blue users using SMS 2FA authentication have until March 20th, 2023, to switch to another 2FA method, or it will be disabled.
“Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another,” Twitter warned in a new blog post.
“After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled.”
Based on Twitter’s account security report, which includes data between July 2021 and December 2021, only 2.6% of users use two-factor authentication. Of these users, 74.4% use SMS 2FA, 28.9 use an authenticator app, and 0.5% use a hardware security key.
Elon Musk said they are making this change as they lose $60 million yearly on fake 2FA SMS messages.
Musk later backed up this policy change, stating that authentication apps “are much more secure than SMS,” likely referring to the risk of SIM-swapping attacks on mobile devices.
SIM swapping attacks are when threat actors take control of a target’s mobile phone number by tricking or bribing the carrier’s employees to reassign the numbers to attacker-controlled SIM cards.
This enables the threat actors to use the phone number on their own devices, receive the victim’s SMS texts, including SMS multi-factor authentication (MFA) codes, or log into accounts that use a phone number as part of the credentials.
If you have no plans to sign up for Twitter Blue, you will now be required to use either a Security key or an authentication app as your 2FA authentication method.
While many do not agree with how this new policy is being handled and rolled out, it may ultimately lead to better security for users who choose not to subscribe to Twitter Blue.
This is because you will be forced to use more secure options for securing your account.
The most secure option is to use a hardware security key, such as a Google Titan or Yubikey, which are small devices with USB or NFC connectivity to automatically respond to 2FA requests and sign you into an account.
They are considered the most secure as they are physical devices that must be plugged into a computer and be in your possession to log you into your account.
Therefore, if anyone gains access to your credentials, they cannot bypass 2FA even if they steal your 2FA tokens somehow, whether through advanced adversary-in-the-middle phishing attacks or SIM swapping attacks.
When setting up 2-factor/multi-factor authentication on a website, the site will display a QR code you scan with the authentication app. Once scanned, the website will be registered in the app to generate 2FA codes that must be submitted to a website to log in to your account.
If a threat actor gains access to your credentials, they will not have access to the code generated by your mobile app and thus won’t be able to log in.
The problem with authenticator apps is that if you lose your phone, you also lose access to your 2FA codes, making it difficult and time-consuming to regain access to sites.
However, Microsoft Authenticator and Authy include the ability to back up your 2FA settings to the cloud so that you can restore your 2FA settings if you lose or wipe your device.
Therefore, either app is an excellent choice as your authentication app.
If using Authy, though, make sure to disable the ‘Allow Multi-device’ setting when not transferring codes to another device, as if your phone number is stolen, it could potentially be used to access your Authy account.
Regardless of the authentication method you are using, Twitter’s security report shows that far too many people are not securing their accounts with 2FA, even though it increases the security of your account.
It is strongly advised to enable 2FA on all online accounts you use, including Twitter, and to use an authenticator or a hardware security key, as it’s ultimately more secure.