Last updated on April 25th, 2023 at 05:27 pm
Yesterday Elon Musk unveiled his latest attempt to monetize Twitter: paywalling SMS-based two-factor authentication (2FA). Per Twitter’s blog post, “accounts with text message 2FA still enabled will have it disabled” on March 20th, unless they are a Twitter Blue subscriber.
Twitter’s blog post emphasized SMS-based 2FA’s security problems as the reason behind the change. However, given Twitter’s very public financial troubles and the fact that it costs Twitter money to send one time codes via text, it seems likely Musk is taking this step to cut costs and push more users to sign up for Twitter Blue.
While there are plenty of good reasons to switch from SMS-based 2FA to an authenticator app or a security key, turning off 2FA for someone who doesn’t make the switch (or pay for Twitter Blue) will make their account far less secure.
And I suspect many non-Twitter Blue subscribers who use SMS-based 2FA will end up having their 2FA turned off by Twitter. After all, coughing up $8 ($11 on iOS and Android) a month for Twitter Blue to keep SMS-based 2FA seems like it will be a hard sell for most people. And as for switching to an authenticator or security key, change is hard. Moving to an authenticator means learning how to install and use new software and switching to a security key means buying new hardware and figuring out how to use it. Doing all that in the next month will probably not be a priority for many people.
The reduction in security for non-Blue users will probably lead to more hacked accounts and more spam and scams on the platform. And the last thing Twitter needs right now are more bots pushing crypto scams.
Perhaps the well-deserved backlash to Musk’s current plan will cause him to rethink things. In that case, I just hope he doesn’t decide to paywall authenticators or security keys instead.
Update Feb 18th at 12:39pm. I received a notification instructing me to remove SMS-based 2FA from one of my Twitter accounts. Somewhat ominously, it warned “To avoid losing access to Twitter, remove text message two-factor authentication by March 19, 2023“. This makes it seem like Twitter’s forced disabling of SMS-based 2FA will not in fact turn off 2FA for non-Blue subscribers’ accounts, but will rather remove their option of receiving a code via SMS, effectively locking users out of their accounts if they don’t have another method of 2FA already set up on their account.
Faced with the choice of being locked out of their accounts, subscribing to Twitter Blue, switching to an alternative method of 2FA or simply turning off 2FA altogether, I expect many users will forgo improved security and opt for the latter.