Twitter’s New 2FA Changes Begin Today, Here’s What You Need to Know
Twitter is disabling its two-factor authentication (2FA) on accounts not subscribed to Twitter Blue today. This means that accounts utilizing the 2FA text message feature are to become much less secure moving forward.
Last month, it was announced that text message-based 2FA would become a feature for subscribers to Twitter’s $10/month subscription service. “While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors,” the company said. Starting today, this new policy is kicking in.
Until today, non-subscribers would periodically be notified that 2FA would be removed from their account. Twitter allows users to disable the feature themselves and opt for a third-party service. However, as of March 20, Twitter is turning off its text-based 2FA across the board, regardless if you remove it yourself.
In order to maintain a sense of security in your account, you may enable 2FA using a third-party authentication service. There are plenty of useful apps online to use. For instance, Google Authenticator, Authy, 1Password, iCloud Keychain, etc. are all very solid alternatives to Twitter’s 2FA. Most of the aforementioned apps utilize a short 2FA code that is on rotation constantly. This code must then be entered when logging into Twitter on a new device.
This may all seem like a big hassle and truthfully, securing one’s personal account shouldn’t be paywalled. However, there is a bit of a bright side to all of this. Historically, text-based 2FA has always been seen as the least secure form of authentication. Due to SIM cloning and other dubious ways of working around this method, Twitter’s push to get users off its own 2FA may lead to many more secure accounts.
It is recommended to look into a new form of 2FA starting today. Alternatively, you may opt to subscribe to Twitter Blue. However, the least recommended thing users could do is leave their accounts unsecure and without any means of authentication.