In today's digital world, securing your accounts is essential for protecting your personal and financial information from cyber threats. This includes not only social media and banking but also email, online shopping, and other web services that require login credentials.
Multi-Factor Authentication (MFA) is known to be a highly effective security measure that adds an extra layer of protection to your accounts by requiring multiple forms of verification, such as a password and a fingerprint, making it much more difficult for unauthorised individuals to gain access.
With MFA, even if an attacker manages to steal a user's password or PIN, for instance, they will still need to provide an additional form of authentication to gain access to the account. Hence, MFA is becoming increasingly popular and is now widely used by many online services and applications to protect user accounts.
Yet, in a highly contested move, Twitter is restricting how its users can employ the function unless they pay up.
According to Twitter CEO Elon Musk, users who pay $8 per month for Twitter Blue will not only have the ability to edit tweets and receive the “much coveted” blue checkmark but also use SMS-based 2FA. In other words, only those who fork up the subscription will have access to the feature.
A report by Platformer stated that non-Blue members who rely on SMS messages for 2FA will be forced to convert to an authenticator app or security key within the next 30 days or have 2FA removed entirely. When using the app, users are already being prompted to "disable text message two-factor verification by March 19, 2023, or risk losing Twitter access."
So now, there must be a reason why is Twitter removing SMS-based 2FA from their free users.
Twitter said that malicious actors have "used and abused" SMS 2FA. Twitter loses roughly USD $60 million per year due to these attacks.
Fran Rosch, CEO of ForgeRock also agrees with the report, stating that “Social media has become a hotbed for phishing scams, making our online identities increasingly fragile. SMS 2FA has been an essential tool in keeping users’ accounts and personal data safe but circumventing it is no longer cutting edge. SIM swap fraud is growing, and it only takes access to your phone number for a hacker to wrongfully prove themselves to be the owner of your social media handle.”
Removing SMS-based 2FA as a free option sends somehow sends a statement about how Twitter prioritises security and its users and also in one way, Twitter’s effort in recuperating back the USD $60 million that they lost per year due to cyber attacks.
How to Keep Your Twitter Secure Without Giving Elon Musk any Money
Despite the company's assertion on making 2FA/MFA a paid subscription, most users agree that it is not the best move.
They are not the only ones: Security experts have joined Twitter's legion of dedicated users in being mystified, bewildered, and frustrated by the company's latest revelation. According to the researchers, it makes no sense to stop supporting SMS-based 2FA for users who do not pay for Twitter Blue, and it will impair users' security if they do not switch to another 2FA method.
The good news is that it’s possible to switch to other 2FA options, meaning you can still keep your Twitter account secure without giving Elon Musk a cent from the free app that everyone loves.
One way is through the use of an authenticator app or security key.
They are functionally equivalent to SMS-based 2FA. You'll need to navigate to your Twitter account's Settings and privacy page, click "Security and account access," choose "Security," and then click "Two-factor authentication" to activate either option. You can also log in and then click here. Here, you can choose between implementing two-factor authentication with a mobile app or physical security keys.
Authenticator apps are constantly generating the codes themselves and are synchronised with the services you use, so you no longer need to wait for a six-digit authentication code to be sent to you by SMS. The authenticator app will show you a list of all the sites you have set up with that particular app and the codes you will need to enter to access each one. It takes 30 seconds for these codes to become valid again. Instead of waiting for a text message with an authentication code, you may simply visit the authenticator app and enter your username and password to acquire the code you need to log in (This comes in handy in cases where you do not have service on your phone!).
There are several options for free two-factor authentication apps but they all do the same basic things and work on different platforms. Apps like Google's Authenticator and Microsoft's Authenticator have been developed by the industry's heavy hitters. Additionally, many popular password managers, such as 1Password, now provide their own authenticator services. The Authy app by Twilio is another option. As an added bonus, the iPhone's in-built generator can also be used.
Before deciding, weigh the benefits and drawbacks of each option. Perhaps you have invested a lot of time and money into Microsoft's or Google's ecosystems and are committed to using just their apps. The Google app is simple but it does not sync with others, whereas the Microsoft version provides password management features.
Using an external authentication app on Twitter, or anywhere else, is a breeze. In order to use it on Twitter, you must go to the 2FA page. From there, in your authentication app, pick the option to add a new account, and scan the QR code Twitter provides. Just key in the six-digit code on your app and you will be good to go.
You can also use a security key in place of an authenticator app. The keys are real hardware that you connect to your computer or phone to use as authentication. They are the safest kind of 2FA because an attacker would need to get their hands on the unique key in order to access your account, unlike with a randomly generated PIN or password.
Not only that, according to Fran, Twitter itself provides other two-factor authentication methods, such as push authentications through an app. Downloading this kind of app on your device will enable better security and a better user experience than the text message-based SMS one-time password mechanism for verification.
The Twitter account recovery code is something you should write down after setting up an authenticator app or hardware key. In the event that you experience a problem with your 2FA, such as losing your phone or security key, you can still access Twitter with the backup code. (When you first activate two-factor authentication on Twitter, the service will supply you with a backup code; you can later have a new one issued online.) Your password manager or another secure location is where you should save information.
Remember, Twitter is free, do not let some billionaires charge you for it! Stay safe and keep your account secure!