Twitter to charge users for text-message authentication

  • Published
Twitter logo displayed on a smartphone in front of a Twitter logo backgroundImage source, Getty Images

Twitter is removing text-message two-factor authentication (2FA) for non-subscribers.

By double-checking the identity of the person logging in, 2FA lets users to add an extra layer of security to their online accounts, beyond passwords.

Common methods include texting users a code or using an authenticator app.

But on Saturday, the Twitter Support account tweeted, external only Twitter Blue subscribers would be able to use text-message authentication from 20 March.

Some text-message 2FA users also received an in-app alert telling them to remove the method before the deadline to avoid losing access to their account.

Twitter owner and chief executive Elon Musk tweeted its authenticator app, which would remain free, was more secure.

Twitter had been "scammed" by phone companies and was paying more than $60m (£49m) a year for "fake 2FA SMS messages", he told a critic of the move.

This Twitter post cannot be displayed in your browser. Please enable Javascript or try a different browser.View original content on Twitter
The BBC is not responsible for the content of external sites.
Skip twitter post by Elon Musk

Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read Twitter’s cookie policy, external and privacy policy, external before accepting. To view this content choose ‘accept and continue’.

The BBC is not responsible for the content of external sites.
End of twitter post by Elon Musk

Twitter blogged, external "bad actors" had abused the method.

"We encourage non-Twitter Blue subscribers to consider using an authentication app or security-key method instead," it said.

"These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure."

But security expert Rachel Tobac tweeted, external the move was "nerve-wracking", citing a Twitter report published in July 2022 showing, external only 2.6% of active Twitter accounts had 2FA turned on between July 2021 to December 2021 but of those:

  • 74.4% were using the text-message method.

  • 28.9% were using an authentication app

"All of us in security want folks to use a great form of [multi-factor authentication] to protect their account," Ms Tobac tweeted, "but auto-unenrolling users who already signed up for SMS 2FA, because they didn't pay, just opens them up to risk."

Experts have warned SMS 2FA can be less secure than authenticator apps.

But it remained popular because it was easy to use, Prof Alan Woodward, of the University of Surrey, said.

"I'd rather people used something rather than nothing, which might well be what the less tech savvy are tempted to do," he told BBC News.

"I sympathise that Elon Musk is trying to drive cost out of the business but choosing to effectively discourage 2FA for many users seems a dreadfully short-sighted false economy."