Policy Explainer

Twitter 2-Factor Authentication Changes

This month, Twitter announced that as of March 20, text-based two-factor authentication will only be available for Twitter Blue subscribers. Twitter noted that SMS 2FA is very popular, but is the most likely to be abused by nefarious actors. The change was also a business decision as Twitter was losing $60 million a year on scam SMS.

Security professionals are baffled by the change. If SMS 2FA is indeed less secure and more susceptible to scams, why are Twitter Blue subscribers, theoretically those users that take their Twitter usage seriously as a business or personal tool, able to continue using it? Additionally, because regular Twitter users will have to manually change over to a different authentication option (either an authentication app or security key), many are worried that users will forgo 2FA entirely thanks to the hassle. 

Regardless, businesses do not need to worry about the change except in ensuring their Twitter accounts are switched to an accepted 2FA method. With continued device creep and transition away from separate business and personal devices, it would benefit everyone for organizations to send out a reminder for employees to deploy 2FA on their personal Twitter accounts if they are using them on dual-purpose devices.

Though Twitter’s decision to push users toward more secure forms of 2FA stirred up significant discourse over the past weeks, it is likely the best move and is unlikely to present a security risk to your organization. 

In the end, we could all use a reminder to ensure we are using the most up-to-date and secure forms of MFA across our own accounts.