Twitter recently announced that its popular social media platform would allow SMS-based two-factor authentication (2FA) exclusively for Blue subscribers.
The decision is likely motivated by abuse and repeated attempts at exploitation of the authentication method by threat actors.
Once a surefire defense against hostile authentication attempts on accounts, SMS-based 2FA has fallen into disgrace after it was repeatedly exploited in SIM-swapping attacks.
Twitter’s decision to axe SMS-based 2FA for non-Blue subscribers is by no means an invitation for disaster, as the company boasts other multi-factor authentication options.
“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors,” reads Twitter’s announcement. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”
As the company’s decision takes effect, non-subscribers can still protect their accounts with security keys and authenticator apps. Furthermore, the availability of SMS-based 2FA for Blue subscribers “may vary by country and carrier.”
Twitter adds that “non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another. After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled. Disabling text message 2FA does not automatically disassociate your phone number from your Twitter account.”
The company’s decision to strengthen its defenses comes shortly after last month’s massive data leak that exposed the email addresses of over 200 million Twitter users. The security incident was caused by a Twitter login vulnerability allowing threat actors to check if email addresses and phone numbers were associated with Twitter accounts by merely inputting them.