Twitter announced on Saturday that SMS-based (text-based) two-factor authentication (2FA) will only be available for Blue Tick subscribers. Hence, experts have criticized the microblogging site, arguing that if security is the main goal, why are verified users being excluded?
Text- or SMS-based 2FA requires the user to enter a code received via a text message after logging in with a username and password. 2FA is a security feature to protect the user account from unauthorized access.
Effective March 20, 2023, only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method. Other accounts can use an authentication app or security key for 2FA. Learn more here:https://t.co/wnT9Vuwh5n
— Support (@Support) February 18, 2023
However, with a recent change in its policy, only users with a Blue Tick subscription will have access to SMS-based 2FA, leaving other users to rely on other methods such as using an authentication app or a physical security key.
Experts were concerned that Twitter’s new policy would confuse users by giving them so little time to complete the transition and making SMS two-factor appear to be a premium feature.
“The Twitter blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. I agree that it is less secure than other 2FA methods,” said Lorrie Cranor, director of Carnegie Mellon’s usable privacy and security lab.
Twitter is halting phone-number based 2FA because the company has found that it is being used – and abused – by bad actors. Twitter, one of the most popular social media platforms, has made it clear that there will be no new enrollments for the “text message/SMS” method of 2FA unless the users are Twitter Blue subscribers.
“But if their motivation is security, wouldn’t they want to keep paid accounts secure too? It doesn’t make sense to allow the less secure method for paid accounts only,” said Cranor.
Twitter, three days ago: Turn off two-factor authentication or you will lose your account.
Twitter today: pic.twitter.com/ReasCuoDZA
— Dígame Concejal (@RSGAT) February 20, 2023
Due to the insecurity of SMS-based two-factor authentication, industry leaders like Apple and Google have halted the option for this type of authentication and transitioned users to other forms of authentication. Last year, Black Lives Matter activist DeRay McKesson’s Twitter account was hacked despite having two-factor authentication activated. McKesson shared later that the hacker convinced the telecom company to redirect the one-time password (OTP) to a different SIM card by impersonating him in a phone call.
This incident depicts the weakness of SMS-based 2FA and reinforces the need for users to adopt more secure forms of authentication to protect their accounts from cyberattacks.
Another controversial policy in Musk era
This change in policy is one more addition to the line-up of controversial decisions made by Twitter since the takeover by tech billionaire Elon Musk last year.
Twitter Blue, which is the only way to obtain the verification badge or ‘blue tick’, was introduced by Twitter in November 2022, one month after Musk purchased the company for $44 billion in October. This subscription-based service costs $11 per month for Android and iOS users, and $8 per month for desktop-only users.
That introduction of a subscription-based “Blue Tick” raised criticism and speculation over the authenticity of the verification badge.
“Let my Twitter Blue expire. It was not worth it. At least make it zero ads, Elon. Also, I tested changing my name twice and never got my blue verification back. Lots of work to do over there to get my $8,” tweeted Heidi Briones, a user.
The experts are worried about the confusion that will be caused by this new Twitter policy, and the time given to complete the transition from text-based 2FA to another method is not very generous.
“On the surface, this sounds like a good degree of concern for users’ safety, but if you pay for Twitter Blue—and are, therefore, a customer who is serious about your Twitter usage and who Twitter should care about the most—you can continue to use that less secure method of authentication. Huh?” said Jim Fenton, an independent identity privacy and security consultant.
The company has not clarified what will happen if users do not disable SMS-based 2FA by the deadline of March 20. The experts were unable to find a logical connection between the reason and Twitter’s treatment of the new policy.
“And if you aren’t a Twitter Blue subscriber, and they downgrade you to just password-based authentication, now they’ve fully taken something that’s purported to improve users’ security and done exactly the opposite,” said Fenton.
Fenton stated that Twitter’s message would imply that they are replacing the existing authentication method with a new one that doesn’t require a hardware security key. Nevertheless, the exemption for Twitter Blue would remain nonsensical.