Twitter Puts 2FA Via Text Message Behind the Paywall – Social Factor Alert

In a blog post and tweet to their @TwitterSupport account, Twitter announced that two-factor authentication (2FA) would change for all users on March 20, 2023. After this date, any users NOT subscribed to Twitter Blue will no longer be able to use SMS to authenticate their login, and will be forced to use an authentication code app (such as Google Authenticator), or a physical security key (such as Yubico’s YubiKey). 

Two-factor authentication as a security practice requires users to provide extra proof of their identity to log into an account, and Cybersecurity experts classify these extra forms of ID into three categories: something you are (like your fingerprint), something you know (like an answer to a question), and something you have (like a phone that can receive SMS/text messages). 

Twitter stated this change was due to SMS-based 2FA “being used – and abused – by bad actors.” This seems to agree with a 2021 report from Twitter’s Transparency team, noting “SMS-based 2FA is the least secure [authentication method]”. (The same report stated that nearly 75% of accounts with 2FA enabled were using SMS as their secondary key.) Following the 2FA announcement, multiple critics noted that this was likely motivated by costs, as SMS verification fees through services like Twilio can cost as much as $0.05 per verification (plus carrier fees)

Action Items for Brands

  • SMS has long been the preferred 2FA for Brands with distributed social teams and/or agency partners. They will now have to pay for Twitter Blue, or change team processes.
  • We highly recommend moving away from SMS-based 2FA, due to known flaws and potential attacks. This change makes it all the more important to migrate access to social management software (like Sprinklr) or a secure password vault (like Bitwarden). 
  • This change will inevitably lead to more Twitter account hack attempts, which will be more successful as many users won’t migrate their 2FA. The threat to brand Twitter accounts will increase as well, and preparing your security before the effective date is now critical.

Related Blogs