Twitter introduced yesterday that as of March 20, it’s going to solely enable its customers to safe their accounts with SMS-based two-factor authentication in the event that they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires customers to log in with a username and password after which an extra “factor” like a numeric code. Security consultants have lengthy suggested that folks use a generator app to get these codes. But receiving them in SMS textual content messages is a well-liked various, so eradicating that choice for unpaid customers has left safety consultants scratching their heads.

Twitter’s two-factor transfer is the newest in a collection of controversial coverage adjustments since Elon Musk acquired the corporate final yr. The paid service Twitter Blue—the one strategy to get a blue verified checkmark on Twitter accounts now—prices $11 per thirty days on Android and iOS and fewer for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication can have the choice to modify to an authenticator app or a bodily safety key.

“While historically a popular form of 2FA, unfortunately, we have seen phone-number based 2FA be used—and abused—by bad actors,” Twitter wrote in a blog post revealed yesterday night. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

In a July 2022 report about account security, Twitter stated that solely 2.6 p.c of its lively customers have any sort of two-factor authentication enabled. Of these customers, practically 75 p.c had been utilizing the SMS model. Almost 29 p.c had been utilizing authenticator apps and fewer than 1 p.c had added a bodily authentication key.

SMS-based two-factor authentication is insecure as a result of attackers can hijack targets’ telephone numbers or use different methods to intercept the texts. But safety consultants have lengthy emphasised that utilizing SMS two-factor is considerably higher than not having a second authentication issue enabled in any respect. 

Increasingly, tech giants like Apple and Google have eradicated the choice for SMS two-factor and transitioned customers (sometimes over many months or years) to different types of authentication. Researchers fear that Twitter’s coverage change will confuse customers by giving them so little time to finish the transition and making SMS two-factor seem to be a premium characteristic.

“The Twitter blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. I agree that it is less secure than other 2FA methods,” says Lorrie Cranor, director of Carnegie Mellon’s usable privateness and safety lab. “But if their motivation is security, wouldn’t they want to keep paid accounts secure too? It doesn’t make sense to allow the less secure method for paid accounts only.”  

While the corporate says its adjustments to two-factor will roll out in mid-March, Twitter customers with SMS two-factor turned on began encountering a pop-up overlay display screen yesterday that suggested them to take away two-factor totally or change to “the authentication app or security key methods.” 

It is unclear what’s going to occur if customers don’t disable SMS two-factor by the brand new deadline. The in-app message to customers implies that individuals who nonetheless have SMS two-factor turned on when the change formally occurs on March 20 might be locked out of their accounts. “To avoid losing access to Twitter, remove text message two-factor authentication by March 19, 2023,” the notification says. But Twitter’s weblog put up says that two-factor will merely be disabled on March 20 if customers do not regulate it earlier than then. “After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method,” the corporate wrote. “At that time, accounts with text message 2FA still enabled will have it disabled.”