Twitter has announced that it will no longer support SMS two-factor authentication unless you pay for a Twitter Blue subscription. However, there are more secure options for multi-factor authentication, which we describe below.
In a blog post this week, Twitter said non-Twitter Blue users using 2FA SMS authentication have until March 20, 2023 to switch to another 2FA method or it will be disabled.
“Non-Twitter Blue subscribers who are already signed up will have 30 days to opt out of this method and sign up for another,” Twitter warned in a new post. blog post.
“After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use SMS as a 2FA method. At that time, accounts with SMS 2FA still enabled will be disabled.”
Based on Twitter account security report, which includes data between July 2021 and December 2021, only 2.6% of users use two-factor authentication. Of these users, 74.4% use SMS 2FA, 28.9 use an authenticator app, and 0.5% use a hardware security key.
Elon Musk said they were making this change because they were losing $60 million a year on fake 2FA SMS messages.
musk later supported this policy changestating that authenticator apps “are much more secure than texting”, likely referring to the risk of SIM-swapping attacks on mobile devices.
SIM swapping attacks occur when malicious actors take control of a target’s mobile phone number by tricking or bribing carrier employees to reassign the numbers to SIM cards controlled by the attacker.
This allows threat actors to use the phone number on their own devices, receive the victim’s text messages, including multi-factor authentication (MFA) SMS codes, or log into accounts that use a phone number as part of the credentials.
If you don’t plan to sign up for Twitter Blue, you will now need to use a passkey or authenticator app as your 2FA authentication method.
While many disagree with how this new policy is being managed and rolled out, it could ultimately lead to better security for users who choose not to subscribe to Twitter Blue.
Indeed, you will be forced to use more secure options to secure your account.
The safest option is to use a hardware security key, such as a Google Titan Or Yubikeywhich are small devices with USB or NFC connectivity to automatically respond to 2FA requests and log you into an account.
They are considered the most secure because they are physical devices that must be connected to a computer and in your possession to log into your account.
Therefore, if someone accesses your credentials, they cannot bypass 2FA even if they steal your 2FA tokens in some way, be it through advanced means phishing attacks by adversary in the middle Or SIM card swapping attacks.
The other option is to use a two-factor authentication app, such as Google Authenticator, Microsoft AuthenticatorAnd authy.
When setting up 2-factor/multi-factor authentication on a website, the site will display a QR code that you scan with the authenticator app. Once scanned, the website will be registered in the app to generate 2FA codes which must be submitted to a website to login to your account.
If a hacker gains access to your credentials, they will not have access to the code generated by your mobile application and therefore will not be able to log in.
The problem with authenticator apps is that if you lose your phone, you also lose access to your 2FA codes, making it difficult and time-consuming to regain access to sites.
However, Microsoft Authenticator and Authy include the ability to back up your 2FA settings to the cloud so you can restore your 2FA settings if you lose or erase your device.
Therefore, either app is a great choice as an authenticator app.
If you use Authy, be sure to turn off the “Allow multiple devices” setting when not transferring codes to another device, because if your phone number is stolen, it could potentially be used to access your Authy account.
No matter which authentication method you use, Twitter’s security report shows that far too many people don’t secure their accounts with 2FA, even though it increases your account security.
It is strongly advised to enable 2FA on all online accounts you use, including Twitter, and use an authenticator or hardware security key, as it is ultimately more secure.