
Twitter’s ditching of free text-message authentication doesn’t imply that it is best to forgo utilizing 2FA. As a substitute, change to a different – and, certainly, higher – 2FA possibility.
Beginning at present, Twitter is disabling SMS-based two-factor authentication (2FA) for all however paying customers following a call that, not in contrast to different current strikes by the social media big, has been met with controversy that has reverberated far past the Twitterverse.
“Whereas traditionally a preferred type of 2FA, sadly, we have now seen phone-number primarily based 2FA be used – and abused – by unhealthy actors,” reads Twitter’s statement asserting the change in the midst of February.
Through the years, the corporate and lots of of its customers – including one-time Twitter CEO Jack Dorsey – have realized the exhausting means that telephone numbers don’t make for good identifiers and textual content messages are weak to hijacking.
Quick ahead (virtually) to the current and the platform’s present CEO Elon Musk had this to say on Twitter’s dropping 2FA: “Twitter is getting scammed by telephone corporations for $60M/yr of faux 2FA SMS messages.”
Earlier than you say, ‘good riddance to SMS 2FA’, nonetheless, contemplate that utilizing any 2FA methodology is much better than relying in your password alone. This then begs the query: have you ever ready for the demise of free SMS 2FA so that you just keep away from placing your Twitter account at heightened danger for hacking? In current weeks, Twitter has been nudging customers away and to a different two-step login methodology, but when these haven’t executed the job, now could be actually the time to behave.
Right here’s how one can improve the safety of your Twitter account with out SMS 2FA – and maintain it safer than ever earlier than. Even in case you belong to the 0.2 percent of Twitter users who’re paying for subscriptions to the platform, maintain studying – a lot of this recommendation may very well turn out to be useful for you, too.
How 2FA authentication works – and the way it fails
As you in all probability know by now, 2FA provides a useful layer of safety to your account and is especially helpful in case your password is stolen. It’s unlucky, then, that solely 2.6 percent of active Twitter accounts had at the least one 2FA methodology enabled within the second half of 2021 (up from an much more meager 2.3 % a yr prior). Of these, three-fourths used textual content messages as their second authentication issue.
This type of 2FA – which was first developed within the mid-Nineties (again then, they used pagers for that) – has turn into by far the most well-liked 2FA methodology throughout e mail and social media platforms, on-line shops and banks.
Clearly simply ready for a textual content with a code and getting into the code after inputting your password is a handy strategy to improve your account safety. However whereas any second issue is much better than none, 2FA over textual content messages is lengthy identified to be prone to varied assaults as incoming texts are unencrypted and could be intercepted, learn or redirected by decided attackers with relative ease. Again in 2016, the USA’ Nationwide Institute of Requirements and Know-how (NIST) known as for SMS-based 2FA to be phased out.
Latest years have seen a bevy of studies of attackers having access to folks’s on-line accounts following, for instance, profitable SIM swap scams. These scams contain criminals tricking telephone carriers into porting their goal’s telephone quantity to a tool below their management. From there, they will break into the victims’ banking, social media and different accounts that use the identical telephone quantity for 2FA. None aside from former Twitter head Jack Dorsey fell sufferer to this assault in 2019.
Through the years, safety researchers, together with these at ESET, have discovered many examples of malware that’s able to circumventing folks’s 2FA protections.
For instance, means again in 2016, ESET researchers noticed an Android banking trojan that was stealing login credentials for 20 cell banking apps. It bypassed SMS codes, the malware handed all obtained textual content messages on to the criminals. Three years later, ESET found malicious apps that leveraged novel methods to learn notifications with one-time passwords (OTPs) popping up on the machine’s display screen.
Twitter’s personal 2FA protections and safety posture got here below scrutiny in 2020 when a vishing assault on its workers led to the hijacking of some 130 accounts belonging to distinguished figures. Within the hack, the attackers subverted Twitter’s 2FA protections and used the accounts of Barack Obama, Elon Musk and Invoice Gates and others to hawk a Bitcoin rip-off.
To perpetrate the hack, criminals mimicked Twitter’s professional VPN web site the place workers enter their credentials. As quickly as attackers entered login credentials into the actual Twitter VPN and waited for workers to obtain one-time passwords. As soon as the victims stuffed within the password within the phony VPN, the hackers had been in.
So, what are your 2FA choices on Twitter now?
Use of free authentication apps for 2FA will stay free and are rather more safe than SMS https://t.co/pFMdxWPlai
— Elon Musk (@elonmusk) February 18, 2023
There are two different fundamental varieties of 2FA authentication that Twitter helps and which are safer than textual content messages.
First, you need to use an on-device authenticator app comparable to Microsoft Authenticator or Google Authenticator, which supplies strong safety and is extra versatile than a {hardware} key (extra on that later).
Authenticator apps generate a one-time code that you just use to verify your identification when logging into a web site or app. This won’t sound too totally different from SMS 2FA authentication, however the app’s benefit is that as a substitute of getting a code despatched to you through a textual content message, the code seems within the app and is linked on to the machine, fairly than to your telephone quantity.
As a corollary, app-based authentication considerably complicates issues for anybody who needs to learn or steal your code. (Malware that may steal authenticator codes isn’t unheard of, nonetheless.)

Twitter app 2FA settings earlier than the change
If you wish to elevate your safety sport additional nonetheless, contemplate getting a {hardware} safety key that you just join through USB, NFC or Bluetooth. Bodily keys present a excessive degree of safety, particularly as a result of the codes can’t be intercepted or redirected. With a view to break into your account, criminals must steal the important thing in addition to get ahold of your login credentials.
One attainable draw back is that you need to carry the important thing each time you wish to log in. Furthermore, at the moment obtainable keys aren’t universally supported by all units and platforms. Additionally, be ready for costs beginning at round US$25. Extra superior variations, comparable to these with fingerprint recognition, might set you again for greater than US$100.
What else are you able to do to enhance your Twitter safety?
Whereas switching away from SMS-borne 2FA, make sure that to evaluate your account safety and privateness settings. Amongst different issues, set a powerful and distinctive password (in case you don’t use one already) and contemplate taking these steps to staying secure whereas utilizing the platform.
And in case you already are, or plan to turn into, a Twitter Blue subscriber, you’re clearly greatest off ditching SMS 2FA in favor of an authenticator app or a {hardware} key.