In a blog post and tweet to their @TwitterSupport account, Twitter announced that two-factor authentication (2FA) would change for all users on March 20, 2023. After this date, any users NOT subscribed to Twitter Blue will no longer be able to use SMS to authenticate their login, and will be forced to use an authentication code app (such as Google Authenticator), or a physical security key (such as Yubico’s YubiKey).
Two-factor authentication as a security practice requires users to provide extra proof of their identity to log into an account, and Cybersecurity experts classify these extra forms of ID into three categories: something you are (like your fingerprint), something you know (like an answer to a question), and something you have (like a phone that can receive SMS/text messages).
Twitter stated this change was due to SMS-based 2FA “being used – and abused – by bad actors.” This seems to agree with a 2021 report from Twitter’s Transparency team, noting “SMS-based 2FA is the least secure [authentication method]”. (The same report stated that nearly 75% of accounts with 2FA enabled were using SMS as their secondary key.) Following the 2FA announcement, multiple critics noted that this was likely motivated by costs, as SMS verification fees through services like Twilio can cost as much as $0.05 per verification (plus carrier fees).