Tech platforms often have to advertise and cajole users into enabling their free 2FA account security options. Twitter has taken a different tack in deciding to make SMS-based 2FA a premium feature available only to paying subscribers, beginning on March 20 2023.
Twitter cites abuse of the text messaging 2FA option by bad actors as the reason for the change in policy. The service will still allow free use of authentication apps or hardware security keys as an additional account security layer. Twitter supports all time-based one time password (TOTP) authentication apps that generate QR codes, and has offered the option to use multiple security keys since mid-2021.
Most commonly used 2FA method will require paid Twitter subscription
The move is part of a general push to drum up revenue for the platform via the premium Twitter Blue subscription option, which starts at $8 per month or $84 per year. The campaign to convince users to pay for Twitter has seemed haphazard and without clear strategy at times, and appears to be floundering as a recent internal document leak indicates that only about 0.2% of Twitter users have been convinced to open their wallets as of yet.
While Twitter is not eliminating free 2FA options entirely, SMS or text message methods are generally the most widely used as they are the least complicated and require no extra hardware or software (a phone is not even strictly necessary with the use of assorted online services).
Authenticator apps require users to at least have a somewhat recent smartphone; hardware security keys run from about $25 to $100, and are another object that people need to remember to bring with them (and not lose track of). The text message method meets with some amount of discouragement from security professionals, as it can be circumvented via phishing or a SIM swap attack, but it is widely seen as being better than nothing and a requisite courtesy for tech platform users.
The move also takes 2FA entirely out of the hands of most of Twitter’s global user base, even if they are willing to pay for Twitter Blue. The enhanced subscription is only available in 15 countries at present; it has yet to roll out across most of Europe, let alone in nearly all of Asia, Latin America and Africa. Twitter has said that it plans to expand the subscription service globally, but it is not clear how long that will take.
Twitter’s own internal numbers (published in July 2022) find that only 2.6% of its active users have any kind of 2FA in place, but 76% of those use text messaging. The vast majority of the rest use an authenticator app; fewer than 1% use a hardware key.
Account security change makes little sense to security researchers
Certain other tech platforms have been in a slow and gradual process of deprecating SMS 2FA, though not in an attempt to get users to pay for it as if it was some sort of premium feature. These efforts have made clear to users that SMS is not a particularly good method of account security, and gives them ample time to familiarize themselves with one of the more secure methods and move to it.
A series of tweets that CEO Elon Musk interacted with seems to indicate that the primary motivation for this move may be in saving tens of millions of dollars annually on spam SMS messages. Certain telephone companies in “other parts of the world” were accused of billing Twitter millions of dollars by using bots to send bogus 2FA messages over and over.
Whatever the reason, both tech platforms and security experts would generally like to steer users away from SMS 2FA in the long run due to providing something of a false sense of account security. But there is presently nothing that is as easy or accessible for the end user as an alternative, and SMS does add a substantial layer of security so long as the user does not fall for a phishing message (or have their SIM number stolen). While there are a number of free authenticator apps, they require a smartphone to be handy at every login, and the no-cost options generally involve either another big tech firm that customers may have reservations about (such as Google or Microsoft) or a smaller company that has had its own security issues (such as Twilio and LastPass).
Rob Griffin, CEO at MIRACL, suggests that the concept of MFA should be reconsidered to bring multiple security layers back to a single login step that anticipates how far the average user is willing to go (or not go) in terms of account security practices: “To assure the security of any online account, users should always implement MFA – relying on a password or any single factor will leave them vulnerable. Users’ reluctance is purely because historically MFA has meant a dreadful user experience. No longer. Single-step MFA enables a website’s users to authenticate securely in 2 seconds on any device or browser without password or friction. The cost and task of implementing are so small and the security benefits so big that operators who don’t adopt single-step MFA are frankly failing a duty of care to their customers.”
Darren James, Senior Product Manager with Specops Software, takes the opposite view; consumers need to be pushed into choosing a better account security setup than SMS 2FA as it is simply too vulnerable to continue being viable for long: “Off the back of the latest Twitter breach in December last year, the removal of using SMS as a 2FA method for non paying users does initially seem like a bad idea – any 2FA is better than no 2FA. However, this does highlight that not all 2FA options are equal and that there are better alternatives to the weaker 2FA methods such as SMS and Secret Questions – even if this looks like it’s more driven from a cost saving perspective rather than security. Don’t forget while your signing up for your new Twitter 2FA it would also be a good idea to update your password as well – just make sure it’s a strong one!”
