Twitter to Paywall SMS-Based Two-Factor Authentication

News / 2FA, Twitter / By /

Last updated on April 19th, 2024 at 02:35 am

A hand-drawn brick wall with the text "Paywall" on the front and 0s and 1s behind it.
ID 223054896 © Andrey Popov | Dreamstime.com

Yesterday Elon Musk unveiled his latest attempt to monetize Twitter: paywalling SMS-based two-factor authentication (2FA). Per Twitter’s blog post, “accounts with text message 2FA still enabled will have it disabled” on March 20th, unless they are a Twitter Blue subscriber.

Twitter’s blog post emphasized SMS-based 2FA’s security problems as the reason behind the change. However, given Twitter’s very public financial troubles and the fact that it costs Twitter money to send one time codes via text, it seems likely Musk is taking this step to cut costs and push more users to sign up for Twitter Blue.

Effective March 20, 2023, only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method. Other accounts can use an authenticator app or security key for 2FA. Learn more here: https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter
Non-Twitter Blue subscribers will need to use authenticators or security keys as their 2FA method from March 20th. Source: Twitter Support.

While there are plenty of good reasons to switch from SMS-based 2FA to an authenticator app or a security key, turning off 2FA for someone who doesn’t make the switch (or pay for Twitter Blue) will make their account far less secure.

And I suspect many non-Twitter Blue subscribers who use SMS-based 2FA will end up having their 2FA turned off by Twitter. After all, coughing up $8 ($11 on iOS and Android) a month for Twitter Blue to keep SMS-based 2FA seems like it will be a hard sell for most people. And as for switching to an authenticator or security key, change is hard. Moving to an authenticator means learning how to install and use new software and switching to a security key means buying new hardware and figuring out how to use it. Doing all that in the next month will probably not be a priority for many people.

The reduction in security for non-Blue users will probably lead to more hacked accounts and more spam and scams on the platform. And the last thing Twitter needs right now are more bots pushing crypto scams.

Perhaps the well-deserved backlash to Musk’s current plan will cause him to rethink things. In that case, I just hope he doesn’t decide to paywall authenticators or security keys instead.

Update Feb 18th at 12:39pm. I received a notification instructing me to remove SMS-based 2FA from one of my Twitter accounts. Somewhat ominously, it warned “To avoid losing access to Twitter, remove text message two-factor authentication by March 19, 2023“. This makes it seem like Twitter’s forced disabling of SMS-based 2FA will not in fact turn off 2FA for non-Blue subscribers’ accounts, but will rather remove their option of receiving a code via SMS, effectively locking users out of their accounts if they don’t have another method of 2FA already set up on their account.

You must remove text message two-factor authentication. Only Twitter Blue subscribers can use text message two-factor authentication. It'll just take a few minutes to remove it. You can still use the authentication app and security key methods. Learn more about two factor authentication. To avoid losing access to Twitter, remove text-message two-factor authentication by March 19, 2023. Get started. Skip for now.
Screenshot by Safe, Not Scammed. Source: Twitter.

Faced with the choice of being locked out of their accounts, subscribing to Twitter Blue, switching to an alternative method of 2FA or simply turning off 2FA altogether, I expect many users will forgo improved security and opt for the latter.

Leave a Comment

Your email address will not be published. Required fields are marked *