Twitter is removing text-message two-factor authentication (2FA) for non-subscribers. By double-checking the identity of the person logging in, 2FA lets users to add an extra layer of security to their online accounts, beyond passwords.
Common methods include texting users a code or using an authenticator app. But on Saturday, the Twitter Support account tweeted only Twitter Blue subscribers would be able to use text-message authentication from 20 March.
Some text-message 2FA users also received an in-app alert telling them to remove the method before the deadline to avoid losing access to their account.
Twitter owner and chief executive Elon Musk tweeted its authenticator app, which would remain free, was more secure.
Twitter had been “scammed” by phone companies and was paying more than $60m (£49m) a year for “fake 2FA SMS messages”, he told a critic of the move.
Twitter blogged “bad actors” had abused the method.
“We encourage non-Twitter Blue subscribers to consider using an authentication app or security-key method instead,” it said.
“These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure.”
But security expert Rachel Tobac tweeted the move was “nerve-wracking”, citing a Twitter report published in July 2022 showing only 2.6% of active Twitter accounts had 2FA turned on between July 2021 to December 2021 but of those:
- 74.4% were using the text-message method.
- 28.9% were using an authentication app
“All of us in security want folks to use a great form of [multi-factor authentication] to protect their account,” Ms Tobac tweeted, “but auto-unenrolling users who already signed up for SMS 2FA, because they didn’t pay, just opens them up to risk.”
Experts have warned SMS 2FA can be less secure than authenticator apps.
But it remained popular because it was easy to use, Prof Alan Woodward, of the University of Surrey, said.
“I’d rather people used something rather than nothing, which might well be what the less tech savvy are tempted to do,” he told BBC News.
“I sympathise that Elon Musk is trying to drive cost out of the business but choosing to effectively discourage 2FA for many users seems a dreadfully short-sighted false economy.”