How to keep your Twitter safe without giving Elon Musk money •

by Ana Lopez

Friday lateTwitter announced a new policy that will remove SMS two-factor authentication (2FA) from any account that is unwilling to pay for it.

In a blog post, Twitter said it only allows accounts that subscribe to the premium Twitter Blue feature to use SMS-based 2FA. Twitter users who do not switch to another type of two-factor authentication will have the feature removed from their accounts on March 20.

That means anyone who relies on Twitter to send an SMS code to their phone to log in has their 2FA turned off, so anyone can access their accounts with just a password. If you have an easy-to-guess Twitter password or use the same password on another site or service, you need to take action sooner rather than later.

Twitter claims it is “committed to keeping people safe on Twitter”. This is not true. Instead, you’re looking at one of the dumbest security decisions a company has made in real time.

It is not clear why this new 2FA policy, first revealed by Platformer Zoë Schiffer and later confirmed by Twitter, was set. Since the $44 billion acquisition by Elon Musk, Twitter has been bleeding money and employees. It’s likely that the move to eliminate SMS 2FA was to save the company money, since sending text messages isn’t cheap. We were going to ask Twitter for comment, but Musk fired his entire communications team.

Twitter motivated the decision his blog post, saying that SMS 2FA can be abused by bad actors. This can refer to SIM swap attacks, where a hacker convinces your mobile carrier to assign a victim’s phone number to a device controlled by the hacker. By taking over a person’s phone number, the hacker can impersonate the victim and receive SMS codes that allow the hacker to access a victim’s online accounts. But making SMS 2FA available only to Twitter Blue subscribers doesn’t better protect paying users from SIM swap attacks. By encouraging paid users to rely on SMS 2FA, their Twitter accounts are more likely to be taken over if their phone number is hijacked.

That said – and this is important – SMS 2FA still offers much better protection for your accounts than not using 2FA at all. But Twitter’s new policy isn’t the way to encourage users to use more secure 2FA. In fact, companies like Mailchimp are taking the opposite (but correct) approach encourage users to enable 2FA by discounting customers’ monthly bills.

The silver lining – if we can call it that – is that Twitter isn’t scrapping 2FA altogether. You can still protect your account with strong 2FA without paying Elon Musk a dime.

Regardless of whether or not you’ve abandoned your Twitter account in favor of alternative, decentralized services like Mastodon and others, you’ll still want to take action before March 20 to secure your account in the event someone breaks in and starts tweeting on your behalf.

Instead of using 2FA codes sent by SMS, you need app-based 2FA, which is much more secure and as fast as receiving a text message. (Many online sites, services, and apps also offer app-based 2FA.) Instead of having a code sent to your phone via text, you can generate a code through an authenticator app on your phone, such as Duo, Authy, or Google Authenticator to name a few. This is so much more secure as the code never leaves your device.

a screenshot of Twitter's two-factor authentication settings

Image Credits: (screenshot)

To set this up, first make sure you have your authenticator app installed on your phone. Go to your Twitter account and go to Settings and privacyThan Security and account accessThan Security. Once you’re on the Two-factor authentication settings and then select Authentication app. Follow the directions carefully. You may need to enter your account password to get started. Once you’re done, you can log in with your password and then a code generated by your authenticator app.

Remember, this is a much more secure way to access your Twitter account, which means that if you lose your phone, it can be very difficult to access your account again. So keep your backup codes, which can help you access your account if you’re locked out, safe in your password manager. You can find your backup codes in the same place where you set up your app-based 2FA.

Related Posts