Twitter has been criticized for attempting to charge users for SMS-based two-factor authentication, with an expert warning that security on the platform is about to deteriorate.
Last week it was announced that only paying Twitter subscribers will be able to use two-factor authentication (2FA) via SMS from next month.
Two-factor authentication is an important security tool that requires users to enter a code or security key when entering their password. This code can be presented via a text message, an authenticator app or a physical security key.
Although two-factor authentication via text messages is considered significantly less secure than the other options, it is more commonly used and still seen as better than no protection.
In a blog post about the changes, Twitter said that non-paying users will have 30 days to opt-in to another authentication method before it is completely disabled.
“While traditionally a popular form of 2FA, we’ve unfortunately seen phone number-based 2FA used – and abused – by bad actors,” the according to a Twitter blog post.
“So starting today, we will no longer allow accounts to enroll in the SMS/SMS method of 2FA unless they are Twitter Blue subscribers.”
According to the most recent figures, only 2.6 percent of Twitter users have two-factor authentication enabled, but nearly 75 percent of those users do so via SMS verification.
Now only those who pay for Twitter Blue can use this method of two-factor authentication.
Twitter Blue is the new subscription service for the platform launched by new CEO Elon Musk. The service costs users $19 per month on iOS and $13 per month on the web.
This means that cybersecurity on Twitter is likely to deteriorate significantly as a result of these changes, said Professor Asha Rao, associate dean of mathematical sciences in the School of Science at RMIT University.
“With Twitter’s latest policy, we may see even fewer people using two-factor authentication because they don’t realize it can be done in another way, such as an app like Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile or 1password,” Rao said .
“Social media companies could create authentication technology solutions and embed those solutions into their platforms. But until now, we have not seen any of the social media giants proactively monitor cybersecurity in this way.”
There are also concerns that Twitter’s move has made two-factor SMS authentication seem like a premium feature for paying users, despite being a less secure form of the service.
Social media companies need to do more to address cybersecurity, Rao said.
“Social media already has a cybersecurity problem,” she said.
“We miss both incentives for positive behavior and repercussions for social media companies that fail to protect the vast amounts of data they collect about users.
“In contrast, the consequences of insecure data in the banking and financial sector are obvious to everyone and the expectations of companies in this sector – both legal and social – reflect that. This is not the case for companies like Twitter or Meta, which have poor cybersecurity practices and policies.”
Two-factor authentication via SMS is considered less secure, in part due to the prevalence of SIM swapping attackswhere a hacker uses personal information to convince a mobile carrier to transfer the victim’s mobile number to a new SIM card.
This allows the criminal actor to send and receive messages on behalf of the victim and bypass two-factor authentication if enabled using SMS.