Feb 21, 2023 - Technology

What to know about Twitter's 2FA changes

Illustration of the twitter bird logo as an open padlock

Illustration: Sarah Grillo/Axios

Twitter's decision to stop texting login codes to nonsubscribers is causing confusion about what security tools free users can still enable.

Driving the news: Last week, Twitter started notifying users who don't subscribe to its paid Twitter Blue service that the company will stop sending texts with login codes to users after March 20.

  • These login codes are an added form of security to verify that the person who is logging in to the account is the actual owner.
  • However, while texts will end, the company will allow nonsubscribers to set up multifactor authentication (MFA) for their accounts through app services, including those from Google and Microsoft.
  • Nonsubscribers should "consider using an authentication app or security key method instead," the company wrote in a blog post last week.

Why it matters: Receiving a login code via text is the most popular form of two-factor authentication among the small number of Twitter users who enroll in the service.

  • According to data from July through December 2021, the latest numbers available, 2.6% of Twitter users have MFA enabled. Among those, nearly 75% use text-based MFA.
  • And it's unlikely those Twitter users will all move to a different authentication service, like Google Authenticator.

Yes, but: Malicious hackers have increasingly targeted people via text-based MFA requests, leading to several high-profile data breaches in the last year.

The big picture: Even with text-based login codes enabled, Twitter has still had its fair share of account takeovers and breaches.

Between the lines: Twitter is framing the choice as a move to better secure users' accounts from malicious hackers.

  • However, Musk said the change was also because "Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages."

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper