Twitter had announced last month that it’s going to change the way people use two-factor authentication (2FA) to protect their Twitter accounts. It was to remove the option to use text message/SMS as 2FA method for all Non-Twitter Blue subscribers.
In a normal way, like most internet platforms, Twitter offers both the text message/SMS based 2FA method and a method via third-party authentication application. In addition to the two, Twitter also offers a third method to secure your account using a Security Key that works with an external/physical USB, Bluetooth, or an NFC device.
After the new restriction imposed, only the Twitter Blue subscribers will be able to keep using the most common 2FA method of text message/SMS. Non-subscribers will have to switch to the Authentication App method or to the Security Key.
On the announcement last month, the social media platform gave its users 30 days to disable the text message/SMS method of the 2FA and switch to the different one. On the March 20th, 2023, Twitter has kicked out the users who didn’t switch themselves.
It doesn’t matter they kicked you out or you made a switch, you just need to use the other method. It, however, doesn’t make sense why Twitter would require you to pay for a Twitter Blue subscription to use text/SMS based two-factor authentication. The whole bunch of platforms on the internet offer this account security step for free and many have stopped offering the option at all.
Twitter, though, has an excuse to make this move as they had seen the method been abused by “bad actors”
While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors.
It’s worth noting that Twitter published a report about account security in July 2022, in which it said that only 2.6% of its active users had at least one 2FA method enabled. Around 75% of those had enabled SMS-based 2FA method, around 29% were using third-party authentication app, while less than 1% had enabled a physical authentication key.
