In a puzzling move to all security experts, Twitter has restricted the use of SMS 2-factor authentication to its Twitter Blue subscribers only. The move was made after Twitter owner and current CEO Elon Musk declared that SMS authentication spamming has cost the company over $60M a year.
An official statement from Twitter states that current non-Twitter Blue accounts with SMS 2-factor authentication have until March 19, 2023, to either set up 2FA with an authentication app or security key.
Twitter’s 2FA disaster
Despite the alarming bill the company is reportedly seeing from malicious actors abusing the SMS 2-factor authentication mechanism, the entire Twitter userbase enabling any form of 2FA is shockingly low.
In fact, it’s only 2.6%, with 74.4% relying on the SMS mechanism. The only two other free mechanisms now available for any Twitter user to use are an authentication app, or a security key. Authentication apps (like Google Authenticator) are able to scan a QR code to initially set up the 2-factor authentication passcode, and automatically rotate on a timed interval, similar to RSA tokens.
As cybersecurity expert and ethical hacker Rachel Tobac has outlined, the concerns of disabling SMS 2FA are numerous for Twitter’s user base.
Twitter accounts that currently use SMS 2FA that are not Twitter Blue subscribers will see a warning message the next time they login to the platform, alerting them of the change in policy.
The security concerns for Twitter continue ever since the purchase and takeover of the platform by Musk back in October 2022. Executives and veterans of the company resigned, with layoffs reducing headcount to reportedly 500 full-time employees. The initial revamp of the Twitter Blue program offering a “verified” Twitter blue check mark for $8 a month also backfired.
Will 76% of Twitter SMS 2FA users convert to an authentication app or security token? We’ll find out soon enough but it’s highly doubtful.
