Twitter 2FA: How to Stay Secure

3 minute read

If you’re a non-Blue Twitter user, you likely received the same pop-up message I did: “You must remove text message two-factor authentication… To avoid losing access to Twitter, remove text message two-factor authentication by March 19, 2023.” Since the cybersecurity community strongly recommends multi-factor authentication – the requirement to provide at least two forms of identity verification – this decision caught many by surprise. 

Online reactions have been predictably divided.

Twitter announcement that SMS-based two-factor authentication will no longer be available for free users. It will only be available on Twitter Blue.

Twitter’s 2FA Change: The Facts

Twitter explained its decision, stating “While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors.” The reality is we have also observed adversaries target MFA. It begs the question: if this is about adversarial exploitation, why maintain SMS 2FA for Twitter Blue, the platform’s paid subscription service? Regardless, this decision has some real implications for the majority of Twitter users.

The good news is SMS 2FA is only one authentication method the social platform offers. Twitter users can still enable multi-factor authentication via authenticator app (Microsoft Authenticator, Google Authenticator, Duo Mobile, etc.) or security key (Yubico Security Key), both of which offer similar – if not better – protection to text-based verification. Also, users have 30 days to make the change which gives at least some time to switch to a different MFA option.

However, this change introduces risk as well. Convenience is often prioritized above security tactics. Will executives switch to an authentication app? Is a physical security key too big a barrier for the average Twitter user? Also, users are reportedly receiving errors when they attempt to remove SMS authentication. If not resolved quickly, this could result in innumerable users losing access to their accounts, which would create attractive impersonation opportunities for adversaries.

Keep in mind threat actors are on Twitter too. Knowing that they know that a number of Twitter users will not make the MFA change – or at least will not make the MFA change quickly – they could take advantage, deploying more of the type of brute-force attacks Twitter claims are already targeting SMS 2FA accounts. While the security community is familiar with how the MFA alternatives work, these methods aren’t as ubiquitous. Some people might struggle to migrate, opening up their accounts to attack as well.

Staying Secure on Social Media

Twitter’s decision to charge for the ability to maintain text-based 2FA undoubtedly creates opportunity for threat actors. Businesses, executives, and individuals must take proactive steps to ensure their multi-factor authentication protections continue, uninterrupted. 

An app-based authenticator such as Microsoft Authenticator is likely the easiest alternative to SMS authentication. Microsoft Authenticator is a free mobile app you can use to maintain MFA on a multitude of accounts – social media, email, retail sites, etc. In this case, Twitter will generate a QR code, and you will scan it from the Authenticator app. It will add this account. Twitter will ask for a code,  and the authenticator generates a new code every 30 seconds. Once you enter the code the first time, your account will be connected to the authentication app, and boom, your MFA will be restored.

Multi-factor authentication is one of the simplest steps you can take to secure your personal online accounts. While text-based authentication is most common, it’s not better than the alternatives. So whether you protect your personal account, your business account, or your executives’ accounts, now is the time to update your MFA settings. 

See ZeroFox in action