On Wednesday, February 15, 2023 Twitter announced in a blog post that two-factor authentication using text message (SMS, Short Message/Messaging Service) will no longer be free. This may come as a shock to some and as well create further confusion as what one can do other than paying for Twitter Blue. The unfortunate part in this news announcement is how Twitter has chosen to handle it. In some cases Twitter gives the impression that paying is the only option when this is not the case. Let us first break down the confusion and then look at what options a Twitter user may have.
What is Two-Factor Authentication?
Multi-factor authentication (MFA) or also known as two-factor authentication (2FA) is a security method used to log in to a website or application that requires two or more distinct forms of identification in order to gain access. The first-factor would be the password, and commonly the second would be a text message (SMS) with a code sent to a mobile phone, authenticator app, biometrics (fingerprint, face, or retina), etc.
We can break this down simply as…
- Something you know (your password)
- Something you have (text message with code)
- Something you are (fingerprint, face, retina)
Why Charge for a Security Feature?
As far as I’m aware at the time of writing this post Twitter as not publicly stated their reasoning entirely. The blog post announcement does state indirectly that 2FA via text message is being abused by bad actors. So this does seem to imply that ultimately text message two-factor authentication will eventually be removed for the sack of security. However, we can make further deductions as to why Twitter would even consider this.
- To discourage use
- To reduce operating costs, sending text message (SMS) is expensive for a business
- To gain revenue, even if temporary
- To eventually drop text message support completely
- To improve security, text message is not a secure method for two-factor authentication
When Will Free Text Message 2FA End?
The blog announcement states that after March 20, 2023 non-Twitter Blue subscribers will no longer have access to text messages for two-factor authentication. So to be safe I would make sure to turn off text message 2FA before March 19, 2023.
What Do I Do After the Deadline?
Those accounts left with text messages 2FA enabled will have it disabled according to the blog announcement. What is not clear is, will the accounts with text message 2FA indeed still have access or not. Some users have been shown messages on Twitter that states “To avoid loosing access to Twitter, remove text message two-factor authentication by March 19, 2023”.
What Are My Options?
Twitter offers other methods of two-factor authentication using an authenticator app or security key for free under an accounts Settings > Security and account access > Two-factor authentication. I’m not certain, but it may be possible to not even enable two-factor authentication. However, I strongly advise against this as it is not a matter of if an account will be breached, but more of matter of when without having 2FA enabled.
So my advice would be to disable text message 2FA, and enable either the 2FA using authentication app or security key methods provided by Twitter for free.
Conclusion
I personally may not agree with how Twitter is handling the transition of removing text message 2FA, however I do believe in the end this is better for everyone from a security point of view. Sending a security code using a text message is simply dangerous and honestly should have never been done in the first place. For those using Twitter take this opportunity to learn more about two-factor authentication, password managers and/or an authenticator app, and security keys.
In the end I recommend enabling two-factor authentication using an authenticator app or security key. For those looking for solutions of a free open source authenticator/password manager app or security key, here are some recommendations. Please remember to safe your backup codes in case the 2FA cannot be used.
Authenticator/Password Manager apps
- Aegis Authenticator (Android)
- AuthPass (Android, iOS, macOS, Windows)
- Bitwarden (Android, iOS, Linux, macOS, Windows)
- Buttercup (Android, iOS, Linux, macOS, Windows)
- KeePassDX (Android)
- KeePassXC (Linux, macOS, Windows)
Security Keys
References
- An update on two-factor authentication using SMS on Twitter
- Door lock, photo by haalkab, published Aug 15, 2016, Pixabay
- Muli-factor authentication, Wikipedia
- One-time password, Wikipedia
- Password manager, Wikipedia
- Security token (key), Wikipedia
- Time-based one-time password, Wikipedia
Changelog
-
- Add Aegis Authenticator