What to know about Twitter's 2FA changes
Twitter's decision to stop texting login codes to nonsubscribers is causing confusion about what security tools free users can still enable.
Driving the news: Last week, Twitter started notifying users who don't subscribe to its paid Twitter Blue service that the company will stop sending texts with login codes to users after March 20.
- These login codes are an added form of security to verify that the person who is logging in to the account is the actual owner.
- However, while texts will end, the company will allow nonsubscribers to set up multifactor authentication (MFA) for their accounts through app services, including those from Google and Microsoft.
- Nonsubscribers should "consider using an authentication app or security key method instead," the company wrote in a blog post last week.
Why it matters: Receiving a login code via text is the most popular form of two-factor authentication among the small number of Twitter users who enroll in the service.
- According to data from July through December 2021, the latest numbers available, 2.6% of Twitter users have MFA enabled. Among those, nearly 75% use text-based MFA.
- And it's unlikely those Twitter users will all move to a different authentication service, like Google Authenticator.
Yes, but: Malicious hackers have increasingly targeted people via text-based MFA requests, leading to several high-profile data breaches in the last year.
The big picture: Even with text-based login codes enabled, Twitter has still had its fair share of account takeovers and breaches.
- In 2020, hackers took over several high-profile Twitter users' accounts — including now-owner Elon Musk's — after nabbing several employees' internal accounts.
- Earlier this month, the U.S.'s top cyber diplomat said his personal Twitter account had been hacked.
Between the lines: Twitter is framing the choice as a move to better secure users' accounts from malicious hackers.
- However, Musk said the change was also because "Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages."
Sign up for Axios’ cybersecurity newsletter Codebook here.