Twitter users have until March 19th to disable SMS-based 2FA from their accounts, as the company is displaying a message stating that, “To avoid losing access to Twitter, remove text message two-factor authentication by March 19th, 2023.”
Twitter has announced that users who are not subscribed to Twitter Blue will no longer be able to use two-factor authentication (2FA) based on SMS. Twitter offers a total of three types of two-factor authentication methods: the other two use an authentication app or a security key.
While APT groups are exploiting Twitter for large-scale cyber-espionage campaigns, Elon Musk has a different idea to improve the platform’s security.
“While historically a popular form of 2FA, unfortunately, we have seen phone-number based 2FA be used – and abused – by bad actors,” Twitter wrote in its blog post. “So starting today, we will no longer allow accounts to enrol in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”
Users have until March 19th to disable SMS-based 2FA from their accounts and shift to an authenticator app or a security key for 2FA. On the other hand, they may buy its subscription service, Twitter Blue, which costs between $8 and $11 a month or $84 a year and adds new perks to an account, such as a checkmark next to the user’s name or the ability to edit tweets.
“After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled,” Twitter says.
SMS-based multi-factor authentication is, in fact, considered the weakest type of 2FA since hackers can clone a victim’s mobile phone number to a new SIM card. This allows them to intercept the code sent through SMS.
According to Twitter’s own transparency report from December 2021, only 2.6% of all Twitter users had enabled two-factor authentication, though the numbers may have increased since then.
To change your 2FA status on your Twitter account, you can navigate to “Settings & Privacy,” then “Security and Account Access,” then “Security,” and finally “Two-Factor Authentication” to choose between an authentication app.