Twitter to charge $8 a month for SMS two-factor authentication, and 75% of users are at risk

iPhone 14 Review
(Image credit: iMore / Stephen Warwick)

Twitter has confirmed that it is now only offering SMS-based two-factor authentication as an option to people who pay for its Twitter Blue subscription service.

In a blog post, the company confirmed that the change would kick in on March 20. After that date anyone who already has SMS two-factor authentication enabled will see it disabled, meaning they'll have no second factor available to them. The security of their Twitter account will be severely impacted as a result.

The move comes as Twitter is reportedly losing money hand over fist, with owner and CEO Elon Musk thought to be looking for ways to save cash where possible. Charging people for SMS-based 2FA appears to be his latest idea.

So insecure

It's important to use two-factor authentication because it ensures that even if someone has your username and password, they won't be able to access your account or data. In the case of SMS and Twitter, logging into the social network would trigger a text message to be sent to a trusted phone number, authentication code in tow.

Twitter would then require that the code be plugged into the log-in form, or else access wouldn't be granted. Now, that won't happen unless you pay at least $8 monthly for Twitter Blue.

However, SMS-based two-factor authentication is problematic. Twitter says it's had an issue with bad actors and abuse, but the real problem is that it isn't all that secure.

With SMS handling two-factor authentication, someone only needs access to that phone in order to intercept the code generated by sites like Twitter. That could mean stealing a phone or, more likely, some sort of SIM swap attack

As a result, physical security keys or software code generators are a better option.  Some of the best hardware security keys even have a wireless component, too. In the case of Twitter, a software two-factor authentication solution is a great option; for most people, it happens to be the only one as well. Thankfully, these options are remaining free, but as Twitter's own Transparency reports reveal 75% of all of its users are SMS 2FA users and will need to change their settings or cough up. 

Oliver Haslam
Contributor

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too. Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.