There’s been a lot of confusion about Twitter’s changes to two-factor authentication1. Let’s break it down and review what’s changing, what that means for your security, and what you should do about it.
Two-factor authentication (or 2FA) is a way to make accounts more secure. Without 2FA, all an attacker needs to take over your account is your username and password. When you have 2FA enabled on your account, it takes more than a username and a password to log in. You need something else — a second factor — that proves you are the account owner.
That second factor can take a few different forms.
The most common (and least secure) method is SMS-based authentication. If you’ve ever gotten a text message with a numeric code that you had to enter before you could finish signing in, that was SMS-based 2FA2. This is the type of 2FA that will be affected by Twitter’s changes.
A quick caveat: everything that follows is true as of March 17th, 2023. Things at Twitter are pretty volatile right now, so it’s possible some or all of this will change with little notice.
Starting March 20th, 2023, only Twitter Blue accounts will be able to keep using SMS-based 2FA.
If you do not have a Twitter Blue subscription for your account, and you currently use SMS-based 2FA, you have until March 20th to change to a different method of 2FA3. If you don’t set up something else and your account still uses SMS for 2FA on March 20th, 2FA will be disabled. Your account will still be active, but it will be less protected.
SMS costs money, and without careful attention organizations offering it for 2FA can incur large bills due to a type of fraud referred to as “SMS pumping.” Twitter is in cost-cutting mode, and executives have made various claims about the company experiencing SMS fraud issues running into millions of dollars in damages.
There is some security impact, but that impact is just a side effect — and it may not be the side effect you’re expecting. Because Twitter is framing SMS-based 2FA as a premium feature that’s only available to paying customers, you might think that it’s somehow better.
It isn’t. If you have a Twitter account that uses SMS-based 2FA, you should switch over to an authenticator app or a security key… even if you have Twitter Blue.
Although it’s better than not using two-factor authentication at all, SMS-based 2FA is much less secure than using an authenticator app or a security key. The main issue is that text messages aren’t tied to your physical device — they are tied to your phone number, which can be moved between devices. If you’ve ever lost your phone or upgraded to a new model, you’ve probably done this legitimately. But a lot of the time, phone companies don’t do a great job of verifying that the person asking to move a phone number to a different device is actually the account owner.
When an attacker exploits this weakness to take over a phone number, it’s called SIM swapping (or a port-out attack if it involves switching the number to a new carrier, but we’ll use the term SIM swapping to refer to both attacks). SMS-based 2FA is vulnerable to SIM swapping. There are many, many real-life cases where attackers used SIM swapping to intercept text messages containing 2FA codes and take over an account.4
Fortunately, there are two other common methods of 2FA: authenticator apps and security keys. Both of these methods are more secure than SMS, and both of them will still be available to all Twitter users regardless of Twitter Blue status.
If you want to go all out on security, you could try using a hardware security key like a Yubikey. They’re super easy to use (you just tap the key) and they have additional security features that can protect you from phishing websites pretending to be your favorite app. But they do cost money, and you do have to carry an additional physical item with you.5
Most authenticator apps run on a scheme called “Time-Based One Time Password” or TOTP. Without getting too technical, TOTP is a system that generates a new random numeric code every 30 seconds.7 Then, you use that code along with your username and password to sign in.
It sounds pretty similar to SMS-based authentication, but there’s a couple key differences that make it better.
First, like we discussed earlier, SMS-based authentication is vulnerable to SIM swapping attacks. App-based authentication isn’t. Even if an attacker successfully SIM swaps you and takes over your phone number, that only gives them access to things like your text messages and phone calls. It doesn’t give them access to the apps that are installed on your phone. In other words, if you use an app-based authenticator, you don’t have to worry about SIM swapping being used to take over one of your online accounts.8
The second benefit isn’t directly security-related, but it may be convenient in some situations. Unlike SMS-based authentication, where you have to be able to receive text messages in order for it to work, authenticator apps work offline. Your phone isn’t receiving the code from a remote source, it’s generating it. So even if you’re traveling internationally, you’ll still be able to log in to your accounts.
Starting in late March, only paid Twitter Blue users will be able to receive 2FA codes via text message. Non-paying Twitter users will still be able to secure their accounts with two-factor authentication, but they will have to use a physical security key or an authenticator app. We recommend you make the switch to a physical security key or an authenticator app regardless of your Twitter Blue status.
2 “SMS” stands for “Short Message Service” or “Short Messaging Service.” It’s one of the most widely used services for sending text messages that is not tied to a specific platform or type of device.
3 If you are a regular user setting up 2FA for the first time, then SMS-based 2FA has already been disabled as an option. You will have to use an authenticator app or security key.
4 The FBI estimates that millions of dollars have been stolen as a result of SIM swapping attacks, and the attacks are only increasing in frequency. The attack has been used to steal vast amounts of cryptocurrency, to sexually extort victims (content warning), and to steal people’s life savings – on multiple occasions.
5 In fact, you will probably need two security keys, so that if the first key gets lost you aren’t locked out of your accounts. Using a hardware key as your primary method and having an authenticator app set up as a secondary option also works. If the 2FA setup process generates any kind of backup codes, you can also store those in a safe place and use those for account recovery purposes. The important thing is that you have a backup plan if your primary hardware key gets lost, and that the backup plan isn’t SMS-based 2FA.
6 You may have used one of these kinds of apps before if you do online banking, or if you work from home and log in to your company’s VPN.
7 Usually every 30 seconds. The spec doesn’t say that it has to be 30 seconds, that’s just the default.
8 You can still be SIM swapped – using an authenticator app doesn’t prevent the underlying attack – but it limits the damage.