What to know about Twitter's 2FA changes
- Sam Sabin, author of Axios Codebook
Illustration: Sarah Grillo/Axios
Twitter's decision to stop texting login codes to nonsubscribers is causing confusion about what security tools free users can still enable.
Driving the news: Last week, Twitter started notifying users who don't subscribe to its paid Twitter Blue service that the company will stop sending texts with login codes to users after March 20.
- These login codes are an added form of security to verify that the person who is logging in to the account is the actual owner.
- However, while texts will end, the company will allow nonsubscribers to set up multifactor authentication (MFA) for their accounts through app services, including those from Google and Microsoft.
- Nonsubscribers should "consider using an authentication app or security key method instead," the company wrote in a blog post last week.
Why it matters: Receiving a login code via text is the most popular form of two-factor authentication among the small number of Twitter users who enroll in the service.
- According to data from July through December 2021, the latest numbers available, 2.6% of Twitter users have MFA enabled. Among those, nearly 75% use text-based MFA.
- And it's unlikely those Twitter users will all move to a different authentication service, like Google Authenticator.
Yes, but: Malicious hackers have increasingly targeted people via text-based MFA requests, leading to several high-profile data breaches in the last year.
The big picture: Even with text-based login codes enabled, Twitter has still had its fair share of account takeovers and breaches.
- In 2020, hackers took over several high-profile Twitter users' accounts — including now-owner Elon Musk's — after nabbing several employees' internal accounts.
- Earlier this month, the U.S.'s top cyber diplomat said his personal Twitter account had been hacked.
Between the lines: Twitter is framing the choice as a move to better secure users' accounts from malicious hackers.
- However, Musk said the change was also because "Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages."
Sign up for Axios’ cybersecurity newsletter Codebook here.