As of March 20, Twitter will remove SMS 2FA authentication for some users: What dangers can arise and what can be done?

March 17, 2023  16:02

Starting March 20, Twitter will stop using two-factor authentication (2FA) via SMS for users who do not have a Twitter Blue subscription, which costs $13 per month.

What does this mean? How could it affect you? And how can you make your account just as secure without extra cost?

What is two-step verification?

Two-factor authentication is an additional layer of security. If for some reason your password gets into the hands of others, 2FA will prevent them from stealing your account.

The most common form of 2FA is SMS authentication. After entering your password to access the utility, the authentication system sends a code to your phone via SMS. You enter this code on the website to prove that you are the owner of the account.

Other forms of 2FA are software-based authentication and security keys.

Banks, social media platforms, and other security-conscious organizations generally see 2FA as a good and useful thing, especially since many use the same password for multiple platforms. This is why 2FA via SMS is usually offered to people for free.

Why is Twitter ditching free SMS 2FA?

Elon Musk, the owner of Twitter, has mentioned two reasons: money and security. Last month, he tweeted that mobile operators were extorting $60 million a year from Twitter by sending "fake" verification SMSes. In other words, according to him, Twitter pays for those SMSes, and it is the telecommunication companies that benefit from it.

In another post on social media, Musk said that other authentication apps are "more secure than SMS." And he is right. Security experts note that criminals sometimes manage to fool mobile operators and redirect the given phone number to another SIM card and "steal" the SMS code sent to the real user on the way. This is called "sim jacking".

How can you protect your account without free 2FA SMS?

In fact, there are two options: authenticator apps and security keys. The first is the simplest and cheapest. There are a number of such apps that are free. Download one of them, then sign in to Twitter and select Settings and privacy, then Security and account access > Security > Two-factor authentication, and then click the Authentication app. Enter your password and click Confirm.

With authenticating apps, hackers can't resort to sim-jacking, but you can still be a target of phishing. In other words, they can mislead you and steal your password. How? They send you a hyperlink, which, when you click on it, opens a page that looks very similar to the first login page of the given site, but it is a page made by hackers, and if you enter your login and password there, you will give them that information.

That leaves the final option: hardware keys. This is a USB drive that plugs into your computer and gives you a unique number or "key" to authenticate you. This is the most reliable option, but many people find it inconvenient, because it must always be at hand for identification.

What will happen if you do nothing at all?

You'll still be able to use Twitter. However, starting March 20th, you'll be prompted to disable 2FA before you can continue using your account. The only real change will be that from that point on, the risk that your Twitter account could be hacked and stolen will increase significantly.

  • Archive