Twitter to Charge for SMS Second-Factor AuthenticationDecision Sparks Concerns That Twitter Accounts Will Be Less Secure
Twitter says it will turn off SMS second-factor authentication for all but paying customers starting March 20 in a decision provoking concerns that many customers will be less secure than before.
The social network couched an announcement that it will no longer offer SMS second-factor authentication except to Twitter Blue subscribers as concern over the security of the method.
"While historically a popular form of 2FA, unfortunately we have seen phone number-based 2FA be used - and abused - by bad actors," the company wrote in a blog.
"Use of free authentication apps for 2FA will remain free and are much more secure than SMS," company owner Elon Musk tweeted.
Security experts do in fact favor other forms of multifactor authentication besides SMS, which is vulnerable to attacks such as SIM card swapping. The National Institute of Standards and Technology in 2017 suggested deprecating texted one-time codes. Computing giant Google in 2020 shifted to on-device prompts as a second factor for account logon. Experts have also long touted security keys - physical devices linked to accounts that transmit encrypted tokens via a USB or low-energy wireless signal.
But the announcement mainly has led to cybersecurity experts telling Twitter - often through Twitter itself - that imperfect SMS second-factor authentication is better than none at all.
"Overtime, we want to move folks from SMS 2FA (which can be a risk if that individual has a high threat model bc of targeted SIM swapping attacks etc) to app-based MFA - that's the dream, yeah. But it's not right to de-enroll them in 2FA or make them pay for SMS 2FA," tweeted Rachel Tobac, CEO of SocialProof Security and chair of Women in Security and Privacy.
Numbers from Twitter show that 2.6% of active Twitter accounts have activated second-factor authentication. Of those, about three-quarters selected SMS as the method of second-factor authentication.
It's likely, Tobac predicted, that many of the users forcibly unenrolled from SMS second-factor authentication will not take the time to set up another method.
"The loss of an instantly accessible form of 2FA will likely see users switch off 2FA altogether rather than make the migration to an app they have no familiarity or understanding of," wrote Toby Lewis, global head of threat analysis at Darktrace.
A tweet from Musk suggested that security is not his only concern. "Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages," he wrote. Since assuming ownership of the company, Musk has engaged in a series of cost-cutting moves that include mass layoffs (see: Twitter Ramps Up Regulatory Exposure After Loss of CISO).The company faces lawsuits in London and San Francisco for nonpayment of rent for its offices, Bloomberg reported.