Elon Musk’s Twitter started a security ruckus over the weekend with the sudden decision to turn off text message/SMS method of two-factor authentication (2FA) for anyone not subscribed to its paid Twitter Blue service.
“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers,” Twitter announced late Friday.
“Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another. After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method,” the company added. After March 20, Twitter said accounts with text message 2FA still enabled will have it disabled.
The company is pushing its unpaid users to consider using an authentication app or security key method instead.
The decision — and the way it is positioned as a paid feature — attracted backlash from security professionals who argue that text-based 2FA is better than nothing at all. Worse, it creates a false sense of security among paying subscribers who may think the weakest form of 2FA is a premium feature.
Twitter’s own internal data shows that multi-factor adoption remains startlingly low. According to a 2021 transparency report, Twitter found that barely 2.3 percent of all its active accounts have enabled at least one method of two-factor authentication between July and December 2020.
Even worse, out of that paltry 2.3 percent of all users who opted to turn on the password-verification feature, 80 percent used the weaker SMS-based authentication, which is known to be susceptible to phishing and SIM-hijacking attacks.
At the time, Twitter acknowledged this was a significant industry-wide hiccup. “Overall 2FA adoption remains relatively low, which is an unfortunate challenge across the industry. When accounts do not enable 2FA, we are left relying on less robust mechanisms to help keep Twitter accounts secure.”
“Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter.”
Musk acquired Twitter last year with a stated mission to “authenticate all humans” and defeat the spam bots, prompting optimism in some quarters that the deal would spur cybersecurity tech innovation around identity, multi-factor authentication and botnet detection.
Related: Can Elon Musk Spur Cybersecurity Innovation at Twitter?
Related: Why Are Users Ignoring Multi-Factor Authentication?
Related: Hackers Used Internal Twitter Tools to Hijack Big-Name Accounts
Related: Ex-Security Chief Accuses Twitter of Hiding Major Flaws