On Saturday, Twitter announced that as of March 20, 2023, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription.
The non-Twitter Blue subscribers can use an authentication app or security key for their two-factor authentication (2FA). Ensuring security to the users, Elon Musk tweeted "Use of free authentication apps for 2FA will remain free and are much more secure than SMS".
How will the two-factor authentication work now?
Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional factor such as a numeric code. The Twitter Help Centre defines it as an "extra layer of security for your Twitter account". Post enabling this security feature, a user will need their password, "along with a secondary login method –– either a code, a login confirmation via an app, or a physical security key" to log in to their account.
Since Elon Musk acquired Twitter last year, a number of controversial policy changes have been made, with the two-factor change being the most recent. So now, it will cost $11 per month on Android and iOS, and less for a desktop-only subscription, to get a SMS-based 2FA, wherein a code received via SMS is used as the secondary login method. The amount is, actually, the subscription payment for Twitter Blue, a paid service that is currently the only way to obtain a blue verified checkmark on a Twitter account.
Rationale behind the move
In a blog post shared by Twitter on February 15, it said, “While historically a popular form of 2FA, unfortunately, we have seen phone-number-based 2FA be used—and abused—by bad actors”. Therefore, in a bid to enhance security of users, the microblogging platform will "no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers”, after March 20, 2023.
In a account security report, dated July 2022, Twitter stated that only 2.6% of its active users have any type of two-factor authentication enabled. Nearly 75% of those users were using the SMS version. Less than 1% had added a physical authentication key, and nearly 28.9% were using authenticator apps.
What options do the non-Twitter Blue subscribers have?
The option to switch to an authenticator app or a physical security key is available to users who have had their SMS-based two-factor authentication disabled, that is, the users who have not signed up for Twitter Blue.
In order to get 2FA via Authentication App or a security key, a user can go to the Settings on Twitter web app which will take them to Security and account access. A tap on Security will help them reach the Two-factor authentication.
Before availing the two options, a user must disable the text message option by signing in with the password. The Twitter Help Centre has elaborated a detailed method to finish the 2 FA by these two options here.