Twitter, in its latest blunder, will require its users to pay for its subscription service to be able to use SMS Two-Factor Authentication.
A colleague of mine received an interesting popup from Twitter. It warned that he will soon lose access to his Twitter account if he doesn’t turn off his SMS Two-Factor Authentication.
He sent me a screen grab of the message and I would have assumed it was a joke…if I hadn’t seen so much craziness from that platform since Elon Musk took it over.
Two-Factor Authentication is a security safeguard that goes one step beyond your password. After you enter that, 2FA requires a second code to get you into your account. The idea assumes that in case someone happened to steal or guess your account password, they still can’t get in unless they also have your cell phone.
There is more than one type, but SMS Two-Factor Authentication is probably the most popular.
In the old days of Twitter verification — when the little blue checkmark actually meant something, Twitter required verified users to use 2FA. They insisted it was a valid security measure to help users avoid hackers.
If you’ve ever been locked out of your Twitter account, you know you face an uphill climb. I had to help a team member get access restored to their account and it took nearly three months. That was before all of the layoffs and general chaos we now see at the platform. There’s no telling how long it would take to get access if a hacker got into your account these days.
So why would Twitter send a message to turn SMS Two-Factor Authentication off?
Money, of course.
The message warns that you must remove text message 2FA.
It then states the crux of the matter: Only Twitter Blue subscribers can use text messages to get the access code to get them into their account.
“It’ll take just a few minutes to remove it,” the message states. “You can still use the authentication app and security key methods.”
The authentication app refers to Google Authenticator, a free app from Google that you sync with your account. When you log in, you then open that app and type in the six-digit passcode it provides. The authenticator app gives you a new six-digit code every 60 seconds; it’s always refreshing the code so that whenever you log in, there’s a new code waiting for you.
The message then turns a bit sinister: “To avoid losing access to Twitter, remove text message two-factor authentication by Mar. 19, 2023.”
Why would you lose access?
Well, if your account is set up to require a six-digit code through a text message, as of March 19, it will no longer send that code to you.
Unfortunately, once you activate 2FA, it’s not an optional login feature: You must have the six-digit code or you don’t get in, no matter how many times you want to successfully enter your password alone.
So the most popular method of two-factor authentication is suddenly off-limits unless you want to shell out $7 per month. (That’s the monthly price when you buy a year’s subscription at $84.)
Twitter claims its about safety.
Twitter says the reason for this move is due to phone number-based two-factor authentication being “abused by bad actors,” NPR reported.
But that argument doesn’t make sense. If it’s an unsafe way of doing things, why would you have to pay to continue using it? Why wouldn’t Twitter just require everyone to use an alternative method — whether they charge for it or not — and drop SMS-based 2FA altogether?
Security is security, right?
The Google Authenticator app is a pain-free option. So on the one hand, it’s not a big deal to switch to that.
But on the other hand, it seems imprudent to make you turn off a security feature. You shouldn’t have to mess with your account’s security just because they want to charge you.