Twitter has made another controversial change, allowing only paying subscribers to use two-factor authentication via SMS (2FA).
Two-factor authentication via SMS is one of the methods that users can implement to increase the security of their account, as each login requires someone to enter a code sent via SMS to prevent potential hackers from hacking into the account using only email address and password.
Here’s everything you need to know about the changes.
What did Twitter say?
Twitter has announced that from next month, only subscribers to the £8/month Twitter Blue service will be able to use SMS login codes as a two-factor authentication method to secure their accounts.
There are currently three 2FA methods available: SMS, Authenticator App, and Security Key.
After March 20, “only Twitter Blue subscribers can use text messages as a two-factor authentication method.”
Other forms of two-factor authentication, where people enter a code from an app like Authy or Google Authenticator, or sign in with a physical security device, will still be available to all users.
Twitter said: “To be clear, two-factor authentication is still not required to sign in to Twitter, although we strongly encourage users to enable it. This change only limits the 2FA methods available to accounts that do not follow Twitter Blue.
Since buying Twitter, Elon Musk has been trying to transition the company from ads to monetizing Twitter Blue, promising to introduce many new features, many of which have yet to be implemented.
One of the changes made to attract followers on Twitter Blue is access to the blue tick that was previously used for verified people such as politicians, journalists, or celebrities.
However, less than one percent of the platform’s active users currently follow Twitter Blue.
As advertising revenues fall and Twitter Blue’s revenues stumble, Mr. Musk, who has raised billions in equity and debt financing to fund his acquisition of Twitter, has hinted that the company is losing large sums of money.
Why are the rules changing?
Musk appears to be concerned about the cost of maintaining the SMS service, given that Twitter pays millions of dollars to text users with login codes.
A blog post on the Twitter page states: “While this has historically been a popular form of 2FA, we have unfortunately seen phone number-based 2FA used and abused by attackers.”
The blog post didn’t address the nature of the so-called “bad actors,” but on Twitter, Mr. Musk seemed to agree when a user stated that some phone companies use “bots” to keep track of the number of texts sent.
In response to a tweet claiming that such “scams” were costing Twitter $60 million a year, Mr. Musk responded “yes.” There is no public evidence of such an operation.
What if I have already subscribed to SMS 2FA?
The website states: “Already registered non-Twitter Blue followers have 30 days to opt out of this method and follow another.
“After March 20, 2023, we no longer allow non-Twitter Blue subscribers to use text messages as a 2FA method. At this point, accounts with SMS 2FA enabled will be disabled.
“Disabling 2FA text message will not automatically disable your phone number from your Twitter account. If you choose to do so, you can find instructions on how to update your account phone number on our help center.
“We encourage non-Twitter Blue followers to use an authentication app or security key method instead. These methods require you to physically own the authentication method and are a great way to keep your account secure.
What was the reaction?
Many have expressed concern that Twitter has placed an important security feature behind a paywall, raising concerns that it could lead to more accounts being compromised.
Only a minority of Twitter users use some form of 2FA, but of these, text-based two-factor authentication is the most popular option as it only requires a phone and no special app is required.
With the feature disabled, people feared that many would simply disable 2FA instead of using some other method.
One Twitter user wrote: “To be clear, most people will not pay for the text check they use for free on any other app, or they will switch to another Twitter-only method. You just turn it off. Congratulations, you’ve made the app less secure for everyone…”
Another said: “I love the irony of ‘oh yes, we still recommend it. We’re just making it harder and more expensive for you to use.”
Since his acquisition in October, Musk has laid off about half of Twitter’s 7,500 employees.
Other employees were asked to save up to $3m (£2.68m) a day on the technical infrastructure — the servers and computers that keep Twitter online under the weight of its 238m daily revenue-generating users.
The 51-year-old, who has described himself as a “free speech absolutist”, has also recovered some previously suspended accounts, including Donald Trump’s account, although the former US president has yet to return to the platform.
Mr. Musk said he would step down as CEO and hire a replacement in December after a poll advised him to do so, but he has yet to do so.
Twitter officials, as well as cybersecurity academics, have also raised concerns that the site could see more bugs and major outages in the coming months — after last week’s crash, which illustrated the risks associated with downsizing, spending cuts were mentioned.