SMS 2FA out at Twitter for non-subscribers

SAN FRANCISCO – Twitter users are having a case of the blues, or not, as may be the case this week with the upcoming removal of SMS two-factor authentication (2FA) from non-subscribers.

On Feb. 15 in a product update blog, Twitter announced that the popular security process is being disabled on the platform by March 20 due to security issues stemming from what Twitter said are “Bad Actors” abusing the system. While SMS 2FA is one of the less secure forms of 2FA, it is notable that twitter is not eliminating it entirely, only for users who are not Twitter blue subscribers.

“Twitter removing the most popular form of 2FA for millions of users is Christmas come early for fraudsters. We know that SMS 2FA has its flaws, but its widespread acceptance among the general population made it a security feature of huge value,” said Andy Kays, CEO of Socura, a cybersecurity solutions company.

“In the short term, the removal of 2FA could be harmful, especially among less tech-savvy social media users. Most people will switch from using SMS 2FA to using no form of 2FA whatsoever. They will be far less secure as a result, and a prime target for fraudsters, cybercriminals, and identity thieves. In the long term, we can only hope that this move is the catalyst for universal authentic app adoption. It is true that authenticator apps are a much better form of 2FA, but users should have been encouraged to switch at their own free will over a period of time, not forced to do so,” he said in an email statement provided to Security Systems News.

The impact of this change will be slightly limited as only 2.6 percent of Twitter users have 2FA at all, but as popular Twitter hacker Rachel Tobac pointed out in a tweet posted on Feb. 17, it will affect a majority of those users.

"This Twitter 2FA change is nerve-racking because:
1. Only ~2.6 percent of Twitter users have 2FA on at all (it’s essential for preventing easy account takeover). Of those 2.6%, 74 percent use text message-based 2FA (https://t.co/WXuFydZk17)
If they don’t pay for Blue they auto lose 2FA on 3/20." https://t.co/LneQojvjbi pic.twitter.com/PgySF3Qyag 

— Rachel Tobac (@RachelTobac) February 18, 2023

During the transition period, both Twitter and other security experts suggest non-Twitter Blue users switch to an authentication application or the use of a security key to protect their account.

Twitter’s full blog on the decision Is available at blog.twitter.com.