Explained: Twitter is removing a basic security feature from many accounts – here’s how to avoid getting hacked
By ABC technology reporter James Purti
Last month, Twitter announced it was ending free SMS two-factor authentication.
You may have seen this news and you may not have done anything to prepare.
The date for the change is almost here. Starting Monday, March 20, people who haven’t paid $13 a month to subscribe to Twitter Blue will have two-factor authentication (2FA) via SMS disabled.
Here’s what that means, what effect it could have on the platform, and how you can make your account just as secure at no extra cost.
What is two-factor authentication?
It’s an extra layer of security designed to prevent your account from being taken over if your password is compromised.
The most common form is SMS 2FA. Once you have entered your password to log in to an account, the authentication system sends your phone an SMS with a code. You enter this code on the website to prove that you are the owner of the account.
Other forms of 2FA are software-based authentication tokens and hardware keys. We’ll get to them later.
Basically, banks, social media platforms, and other security-conscious organizations generally see 2FA as a good and useful thing, especially since many people risk reusing passwords for multiple platforms.
For this reason, SMS 2FA is usually offered free of charge.
Not any more! Why is Twitter dropping free SMS 2FA?
Twitter owner Elon Musk has given two different reasons. One is about money. The other, security.
Last month, Musk tweeted that phone companies were defrauding Twitter of $60 million per year by sending “fake” 2FA SMS.
That is, Twitter has to pay for these 2FA SMSes, and the telcos gamed the system.
In another tweet, he said other authentication apps (ie 2FA soft tokens) were “more secure than SMS”.
Troy Hunt, an internet security expert, agreed, saying “generally, SMS is considered to be the weakest” in the “security hierarchy” of 2FA methods.
This is because an attacker can trick a phone company into assigning the target’s phone number to a new SIM card, so that the attacker receives the 2FA text. This scam is known as “sim-jacking”.
Many have pointed out that paid Twitter Blue users will still have access to SMS 2FA, which is hard to reconcile with Musk’s claim that increased security was the reason for the decision to cancel free SMS 2FA.
“If it’s about safety, they should do it [cancel SMS 2FA] for everyone, for Twitter Blue users,” Hunt said.
“The irony is Twitter Blue users are more invested in the platform.”
What effect will canceling free SMS 2FA have on Twitter?
Probably not much, Hunt said.
Don’t expect all hell to break loose on March 20.
“The number of people who have 2FA enabled on Twitter is in the single digits,” Hunt said.
Of these, some already have Twitter Blue. Some can upgrade to Twitter Blue. Others will switch to other methods of 2FA (we’ll get to those). And of those that remain, most won’t have passwords that have already been hacked.
“You have to imagine there will be some level of increase in account takeover,” Hunt said.
These takeovers cost the individual as well as the organization. Whether the projected increase in acquisitions would cost Twitter more than $60 million a year was a “good question,” he said.
How can I keep my account secure without free SMS 2FA?
You have two options: authenticator apps and hardware keys.
The first of these is the simplest and cheapest. Download one (many are free). Next, go to Twitter and click Settings & Privacy > Security & Account Access > Security > Two-Factor Authentication and click Authenticator App. Enter your password and click Confirm.
Authenticator apps are not vulnerable to sim jacking, but you can still be phished. That is, you can be tricked into sharing your password with the wrong person, often by sending you to a website that looks identical to a platform’s login page.
That leaves the last option: hardware keys.
This is a USB drive that plugs into your computer and provides a unique number, or “key,” to authenticate yourself.
It is the most reliable option, but many people find it inconvenient. You must carry the key when you need to complete 2FA.
What will happen if I do nothing at all?
Probably not much.
You will still be able to use Twitter as before.
Starting March 20th, you will be asked to disable 2FA before you can continue using your account.
The only real change will be a hard-to-quantify but significant increase in the risk of having your Twitter account hacked.