Twitter is ending free SMS 2FA: Here’s how you can protect your account now
Ditching Twitter’s free text message authentication doesn’t mean you should forgo using 2FA. Instead, turn to another – and, indeed, better – option 2FA.
Starting today, Twitter is disabling SMS-based two-factor authentication (2FA) for all but paying users following a decision which, unlike other recent moves by the social media giant, has been met with controversy that has reverberated far beyond the Twitterverse.
“While historically it has been a popular form of 2FA, unfortunately, we have seen phone number-based 2FA used – and abused – by bad actors,” read the Twitter statement announced the change in mid-February.
Over the years, the company and its many users – including former Twitter CEO Jack Dorsey – have learned the hard way that phone numbers are not a good identifier and text messages are vulnerable to hijacking.
Fast forward (almost) to today and the current CEO of the platform Elon Musk said this on Twitter dropped 2FA: “Twitter scammed by phone companies for $60 million/year worth of 2FA fake SMS messages.”
Before you say, ‘good cleanup for SMS 2FA’, consider that using any 2FA method is much better than relying solely on your passwords. This then begs the question: have you prepared for the death of free SMS 2FA so you avoid putting your Twitter account at high risk of being hacked? In recent weeks, Twitter has been pushing users away and towards other two-step login methods, but if that hasn’t worked, now is the time to act.
Here’s how you can increase the security of your Twitter account without SMS 2FA – and make it more secure than ever. Even if you fall into 0.2 percent of Twitter users If you’re paying to subscribe to the platform, keep reading – most of this advice might actually work for you too.
How 2FA authentication works – and how it fails
As you probably know by now, 2FA adds a valuable layer of protection to your account and is especially useful if your passwords are stolen. It’s a pity, then, that’s all 2.6 percent of Twitter accounts are active have at least one 2FA method enabled in the second half of 2021 (up from 2.3 percent the previous year). Of these, three-quarters use text messaging as their second authentication factor.
This form of 2FA – which was first developed in the mid-1990s (back then, they used pagers for it) – has become by far the most popular 2FA method across email and social media platforms, online stores, and banks.
Obviously just waiting for the text with the code and entering the code after entering your password is an easy way to increase your account security. But while any second factor is much better than nothing, 2FA via text messages has long been known to be vulnerable to various attacks because incoming text is not encrypted and can be intercepted, read, or redirected by a determined attacker with relative ease. Back in 2016, the United States National Institute of Standards and Technology (NIST) called for the elimination of SMS-based 2FA.
The past few years have seen a spate of reports of attackers gaining access to people’s online accounts after, for example, a successful SIM swap scam. This scam involves criminals tricking telephone carriers into transferring their target’s phone number to a device they control. From there, they can break into the victim’s banking, social media, and other accounts that use the same phone number for 2FA. None other than former Twitter head Jack Dorsey who fell victim to this attack in 2019.
Over the years, security researchers, including at ESET, have found many examples of malware capable of circumventing people’s 2FA protections.
For example, way back in 2016, ESET researchers discovered an Android banking trojan that was stealing login credentials for 20 mobile banking apps. It bypasses the SMS code, the malware forwards all received text messages to the criminals. Three years later, ESET uncovered a malicious app that took advantage of a new technique to read one-time password (OTP) notifications that appeared on device screens.
Twitter’s 2FA protections and security posture came under scrutiny in 2020 when a vishing attack on its staff led to the hijacking of some 130 accounts belonging to prominent figures. In the hack, attackers subverted Twitter’s 2FA protections and used the accounts of Barack Obama, Elon Musk, Bill Gates and others to peddle Bitcoin scams.
To carry out the hack, criminals impersonate Twitter’s official VPN website where employees enter their credentials. As soon as the attacker enters login credentials to the original Twitter VPN and waits for the employee to receive a one-time password. After the victim fills in the password on the fake VPN, the hackers log in.
So, what are your 2FA options on Twitter right now?
Using free authentication apps for 2FA will still be free and much more secure than texting https://t.co/pFMdxWPlai
— Elon Musk (@elonmusk) February 18, 2023
There are two other main types of 2FA authentication that Twitter supports and are more secure than text messages.
First, you can use an on-device authenticator app such as Microsoft Authenticator or Google Authenticator, which provide solid security and are more flexible than hardware keys (more on that later).
Authenticator apps generate a one-time code that you use to confirm your identity when you sign in to websites or apps. This may not sound too different from SMS 2FA authentication, but the beauty of this app is that instead of sending you a code via text message, it appears in the app and is linked directly to your device instead of your phone number. .
As a result, application-based authentication significantly complicates matters for anyone looking to read or steal your code. (Malware that can steal authenticator codes unheard ofHowever.)
If you still want to up your security game, consider getting a hardware security key that you connect via USB, NFC, or Bluetooth. Physical keys provide a high level of security, especially since codes cannot be intercepted or routed. In order to break into your account, criminals have to steal the key as well as get your login credentials.
One possible drawback is that you have to carry your key with you every time you want to enter. Also, the currently available keys are not universally supported by all devices and platforms. Also, be prepared for prices starting around US$25. More advanced versions, such as those with fingerprint recognition, may cost more than US$100.
What else can you do to increase your Twitter security?
When switching from SMS-borne 2FA, be sure to review your account security and privacy settings. Among other things, set a strong and unique password (if you don’t already use one) and consider taking these steps to stay safe while using the platform.
And if you are already, or plan to become, a Twitter Blue subscriber, you might as well ditch SMS 2FA in favor of an authenticator app or hardware key.