Twitter’s Two-Factor Authentication Change ‘Doesn’t Make Sense’

“The Twitter blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. It doesn't make sense to allow the less secure method for paid accounts only.” While the company says its changes to two-factor will roll out in mid-March, Twitter users with SMS two-factor turned on started encountering a pop-up overlay screen on Friday that advised them to remove two-factor entirely or switch to “the authentication app or security key methods.” It is unclear what will happen if users do not disable SMS two-factor by the new deadline. “And if you aren't a Twitter Blue subscriber, and they downgrade you to just password-based authentication, now they've fully taken something that's purported to improve users’ security and done exactly the opposite.” On Friday evening, the Twitter account “Titter Takeover News” echoed the company's comments about phone-number-based 2FA being abused by scammers. Eliminating SMS two-factor “might very incrementally decrease Twitter's costs by not requiring Twitter to pay some telco provider a fraction of a cent to send those SMS messages,” Fenton says. “But the Twitter Blue exception still wouldn't make sense.” As the situation plays out, the big question is whether any of it will result in stronger security for Twitter users' accounts.