Twitter ends SMS-based authentication for free accounts

Lewis Goor
Friday 10 March 2023

Twitter have recently announced that SMS two-factor authentication will only be offered to verified or paid accounts. Whilst there are still other forms of multi-factor authentication (MFA) that free accounts will be able to use, Twitter’s decision to charge for the ability to maintain text-based MFA may reduce account security measures for some customers. This potentially opens the door for further takeover attempts by attackers.

It should be relatively well-known now that SMS-based multi-factor authentication is not the strongest form of security, with codes being transmitted without encryption making them significantly easier to intercept. Another disadvantage of SMS is that it can also be possible for attackers to trick phone service providers into disclosing secret authentication codes due to no encryption being used.

Twitter will still offer two other methods of 2FA – using an authentication app as well as security keys.

As per one of our latest blog posts, the most secure method we recommend would be to use an authenticator app such as Duo, Google Authenticator or the Microsoft Authenticator App.

Twitter went on to say that unverified or free accounts that are already enrolled in MFA will have until 20 March 2023 to disable SMS-based authentication and enrol in either of the other two methods. After this date, they will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled – so it’s important that if you still use SMS-based MFA to authenticate. Please consider downloading the relevant smartphone app before then.

If you wish to know more about how to switch over from text-based authentication, learn more about 2FA on Twitter from their help center.

Share this story

Subscribe to the IT Services blog

Enter your email address to subscribe to this blog to receive notifications of new posts.