Twitter, surprisingly, has decided to make 2-factor authentication via SMS a feature of Twitter Blue, the paid version of Twitter, from next March 20. On pain of being unable to access one’s account. A delusional choice that can be obviated by choosing A2F via app.
Before we get into the details of the news, which is surprising in some ways, it would really take someone to sit down next to Elon Musk and tell him to stop because he is really going too far.
The news is that Twitter, in the evening yesterday in Italy, through the Twitter Support account, made it known that from next March 20, 2-factor authentication (A2F) via SMS will be pay-as-you-go. In practice it will become a feature included in the subscription to Twitter Blue, the premium version of Twitter that offers users additional features by paying 8€ per month (or 7€ per month if you choose the annual subscription) subscribing from the web or 11€ per month subscribing via app, iOS or Android.
We have always recommended here on our blog to choose to activate 2-factor authentication via app, as Google Authenticator can be, because choosing A2F via SMS has never been synonymous with security. The explanation is very simple. The codes that are issued via SMS are static codes, that is, codes that can be intercepted by hackers, or any other malicious application, and thus get hold of your credentials. By logging in through 2-factor authentication with Google Authenticator, however, the codes vanish after 30 seconds, which makes the authentication process much more secure.
But the choice to make it a paid option via SMS is really dastardly, pardon the exaggeration. Twitter has never acted by placing choices like these on users, then proposing them while having so little time.
Perhaps the time factor may seem exaggerated, but it is not. Meanwhile, those who will have no way to choose to pay will find it difficult to access their accounts from next March 20. Basically, you either pay or you lose access to Twitter. Never heard of such a thing in many years.
Effective March 20, 2023, only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method. Other accounts can use an authentication app or security key for 2FA. Learn more here:https://t.co/wnT9Vuwh5n
– Twitter Support (@TwitterSupport) February 18, 2023
Damn you guys are getting desperate to find that monetization model huh?
– RubberRoss (@RubberNinja) February 18, 2023
The best choice would be to opt now for 2-factor authentication via app, such as precisely Google Authenticator to avoid paying and continue using your account after March 20. To make this choice, all you have to do is go to your Twitter account’s Settings, from mobile>Security and Account Access>Security. Here click on “Two-Factor Authentication,” choosing the “Authentication App” option and disabling the first “SMS.” Once you have chosen the app you want to use for code retrieval, all you have to do is align your account with the QR code app so that everything is set up. At this point you will not have to pay anything.
So far it sounds simple, but it is not. In fact, many people choose A2F via SMS for simplicity, because they feel that 2-factor authentication via app is difficult to apply. And that is what Twitter leverages, it pains to say it but it is so.
i.e. dear twitter you don’t give me a tick because I don’t count for shit – and you’re right – but now punishing me seems a bit much pic.twitter.com/r3Hp6VYQZ8
– Marta Cagnola (@martacagnola) February 18, 2023
The tweet above from Radio24 journalist Marta Cagnola showing the message Twitter is sending to those who chose A2F via SMS.
It should be noted that the choice to make A2F pay via SMS is related to money matters, it is obvious. Yes because it is Twitter that sends the message to the user to retrieve the access codes, and at present, Twitter no longer wants to pay but wants the user to do so.
But do you know how many Twitter users generally adopt A2F? This question is helped to be answered by Rachel Tobac, a security expert, who on Twitter shared data, which Twitter itself produces, with very interesting and real considerations. The answer is that only 2.6 percent of Twitter users use 2-factor authentication and 74 percent of them, so the vast majority, use A2F via SMS.
Less than 30%, 28.9%, of Twitter users adopt A2F via app.
Twitter wants 1.92% of users to pay to access their account from next March 20. This is, therefore, a way to try to make Twitter Blue more and more popular, as subscriptions are also struggling to take off in the US.
This Twitter 2FA change is nerve-racking because:1. Only ~2.6% of Twitter users have 2FA on at all (it’s essential for preventing easy account takeover)Of those 2.6%, 74% use text message based 2FA (https://t.co/WXuFydZk17)If they don’t pay for Blue they auto lose 2FA on 3/20. https://t.co/LneQojvjbi pic.twitter.com/PgySF3Qyag
– Rachel Tobac (@RachelTobac) February 18, 2023
We were saying before that the choice to adopt 2-factor authentication via SMS because the one via app is perceived to be more complicated, or at least perceived that way. And that is because on security, and digital in general, there is still a lot to be done, in terms of training, digital culture, information, as Tobac himself points out.
It would have been better if Twitter had given more time, maybe a year, to choose and things would have been different.
But time is tight for Elon Musk, who needs to make $3 billion in revenue by this year, and, unfortunately, things are not going well for Twitter, despite the fact that he keeps saying everything is fine. It is not, and this choice to charge users for their account security proves it. We will see what effect this decision will have in the coming days.
Twitter, here are 5 actions to keep your data safe