late on fridayTwitter announced a new policy that will remove text message two-factor authentication (2FA) from any account that doesn’t pay for it.
In a blog post, Twitter said that it will only allow accounts that subscribe to its premium Twitter Blue feature to use text-based 2FA. Twitter users who don’t switch to a different type of two-factor authentication will have the feature removed from their accounts by March 20.
That means anyone who trusts Twitter to text their phone a code to log in will have their 2FA disabled, allowing anyone to access their accounts with just a password. If you have an easy to guess Twitter password or use that same password on another site or service, you should take action as soon as possible.
Twitter states that it is “committed to keeping people safe and secure on Twitter.” This is not true. Instead, you’re looking at one of the dumbest security decisions ever made by a company in real time.
It is not clear for what reason this new 2FA policy, first revealed by Zoë Schiffer from platforms and later confirmed by Twitter, it was instituted. Since Elon Musk’s $44 billion acquisition, Twitter has been cash and employees It’s likely that the decision to remove SMS 2FA was to save the company money, since texting isn’t cheap. We would ask Twitter to comment, but Musk fired his entire communications team.
Twitter justified the decision in your blog post, saying that bad actors can abuse SMS 2FA. This could refer to SIM swapping attacks, where a hacker convinces their mobile phone provider to assign a victim’s phone number to a device controlled by the hacker. By taking control of a person’s phone number, the hacker can impersonate the victim, as well as receive text message codes that can allow them to access the victim’s online accounts. But making SMS 2FA available only to Twitter Blue subscribers doesn’t make paying users any more protected against SIM swapping attacks. If anything, by encouraging paid users to trust SMS 2FA, their Twitter accounts are more prone to takeovers if their phone number is hijacked.
Having said all of that, and this is important, SMS 2FA still provides much greater protections for your accounts than not using 2FA at all. But Twitter’s new policy is not the way to encourage users to use more secure 2FA. In fact, companies like Mailchimp take the opposite (but correct) approach to encourage users to activate 2FA by discounting customers’ monthly bills.
The silver lining, if we can call it that, is that Twitter isn’t doing away with 2FA entirely. You can still protect your account with strong 2FA without paying Elon Musk a dime.
Regardless of whether or not you’ve abandoned your Twitter account in favor of alternative, decentralized services like Mastodon and others, you’ll still want to take steps before March 20 to protect your account in case someone breaks in and starts tweeting on your behalf. .
Instead of using 2FA codes sent via text, you need app-based 2FA, which is much more secure and is as fast as receiving a text. (Many online sites, services, and apps also offer app-based 2FA.) Instead of sending a code to your phone via text message, you can generate a code through an authenticator app on your phone, such as Duo, Authy, or Google Authenticator. to name a few. This is much more secure as the code never leaves your device.
Image Credits: TechCrunch (screenshot)
To set this up, first make sure you have your authenticator app installed on your phone. Go to your Twitter account, then go to Settings and privacyso Security and account accessso Security. Once you’re in the Two Factor Authentication settings, then select authenticator app. Follow the instructions carefully; you may need to enter your account password to get started. Once you’re done, you’ll be able to sign in with your password, then a code generated from your authenticator app.
Remember, because this is a much more secure way to access your Twitter account, which means that if you lose your phone it can be very difficult to access your account again. That’s why you should keep track of your backup codes, which allow you to gain access to your account if you’re locked out, safely stored in your password manager. You can find your backup codes in the same place where you set up your app-based 2FA.
