Twitter and two-factor authentication: What’s changing?

Twitter is making some dramatic shake ups to its currently available security settings. From March 19, users of Twitter won’t be able to use SMS-based two-factor authentication (2FA) unless they have a subscription to the paid Twitter Blue service.

If you use text-based 2FA, the important thing here is not to worry.

You may be under the impression that Twitter is removing your 2FA ability altogether, but this isn’t the case. There are alternatives, and they’re quite a bit more robust than the SMS approach. In fact, they’re referenced by Twitter repeatedly in the documentation regarding the removal of the text service for free Twitter users.

If you’re not sure what they are, or how they work, fear not. We’re going to walk you through the alternatives.

Changing your security approach on a deadline

If you log into Twitter at the moment, you’ll eventually be treated to a popup message which says the following:

Only Twitter Blue subscribers can use the text message two factor authentication method. It’ll just take a few minutes to remove it. You can still use the authentication app and security key methods. To avoid losing access to Twitter, remove text message two-factor authentication by Mar 19, 2023.

This move is being blamed on fraudulent bot behaviour in relation to the Twitter platform. From the above linked Twitter blog post:

While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.

It’s not great that an additional security measure is being removed from users and placed behind a subscription. Some form of 2FA is better than nothing, and uptake for any type of 2FA is painfully low on major platforms. Even Twitter itself struggles, with just 2.6% of active accounts making use of at least one 2FA method. Out of those, 74.4% are using SMS 2FA so this removal plan could have a big impact on already tiny sign up numbers.

As Twitter is so mobile-centric and likely already has your mobile number, SMS 2FA is for many people a natural fit for the platform. It may well be that people stripped of their SMS 2FA may not bother to implement 2FA all over again with an app or hardware key. That would leave those accounts much less secure.

With this in mind, let’s take a look at what’s on the other two forms of 2FA that Twitter offers.

Twitter and 2FA: What can you use?

Authenticator apps

Apps are viewed as being more secure than text-based 2FA, but are still very convenient.

Authenticator apps work by continually generating a numerical code that you enter on the site after you’ve logged in with your username and password. If the code expires before you enter it, the app generates another one and you use that instead. The app will never run out of codes.

These codes are valid whether your phone is online or offline. Some authenticator apps will also send you a prompt to accept, to prove it is you who is logging in. If you travel a lot, this can be more convenient than relying on SMS because you may not have access to a network provider while overseas, or even some form of internet connection. With an app, it doesn’t make any difference.

Unlike text-based 2FA, authenticator apps are resistant to SIM-swap phone calls, because your codes are entirely disconnected from your carrier. Note that you can still be phished should you enter your app generated code on a phishing page.

Hardware security keys

These are dedicated USB sticks which can be tied to the websites you use, taking on the 2FA role in place of text messages, app codes, or even codes sent by email. Hardware security keys can’t be SIM swapped, and they won’t fall foul of phishing either. There’s nothing to phish. Unless the attacker can somehow physically obtain the device from your home, your wallet, your keychain, or anywhere else, they’re going to fail miserably with regard to compromising your security.

Hardware keys are very much the niche option, but if you want to reduce the risk of phishing as much as you possibly can, they’re definitely something to consider. There are models of hardware key which also work with services like password managers, so there’s a lot of options available depending on your specific security needs.

Making the change

Our next post on this subject will explain how to remove text based 2FA from your Twitter account if you have it enabled, and how to enable either app-based authentication or a hardware key instead. Some of the options and settings can be hard to find even for a pro, but we’ll cover each option in detail and you can pick the setting most relevant to your needs.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.