Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Twitter Shuts Off Text-Based 2FA for Non-Subscribers

Twitter started a security ruckus over the weekend with the sudden decision to turn off text message/SMS method of two-factor authentication (2FA) for non-subscribers.

Elon Musk’s Twitter started a security ruckus over the weekend with the sudden decision to turn off text message/SMS method of two-factor authentication (2FA) for anyone not subscribed to its paid Twitter Blue service.

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers,” Twitter announced late Friday.

“Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another. After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method,” the company added. After March 20, Twitter said accounts with text message 2FA still enabled will have it disabled.

The company is pushing its unpaid users to consider using an authentication app or security key method instead.  

The decision — and the way it is positioned as a paid feature — attracted backlash from security professionals who argue that text-based 2FA is better than nothing at all. Worse, it creates a false sense of security among paying subscribers who may think the weakest form of 2FA is a premium feature.

Twitter’s own internal data shows that multi-factor adoption remains startlingly low. According to a 2021 transparency report, Twitter found that barely 2.3 percent of all its active accounts have enabled at least one method of two-factor authentication between July and December 2020.   

Even worse, out of that paltry 2.3 percent of all users who opted to turn on the password-verification feature, 80 percent used the weaker SMS-based authentication, which is known to be susceptible to phishing and SIM-hijacking attacks.

At the time, Twitter acknowledged this was a significant industry-wide hiccup. “Overall 2FA adoption remains relatively low, which is an unfortunate challenge across the industry. When accounts do not enable 2FA, we are left relying on less robust mechanisms to help keep Twitter accounts secure.”

“Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter.”

Musk acquired Twitter last year with a stated mission to “authenticate all humans” and defeat the spam bots, prompting optimism in some quarters that the deal would spur cybersecurity tech innovation around identity, multi-factor authentication and botnet detection. 

Related: Can Elon Musk Spur Cybersecurity Innovation at Twitter?

Related: Why Are Users Ignoring Multi-Factor Authentication? 

Related: Hackers Used Internal Twitter Tools to Hijack Big-Name Accounts

Related: Ex-Security Chief Accuses Twitter of Hiding Major Flaws

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...