Skip to main content
MFA

Twitter lands itself in the middle of the SMS 2FA debate

Very few Twitter users have two-factor authentication enabled, and most who do use SMS.
article cover

Francis Scialabba

3 min read

Twitter owner Elon Musk announced the site would no longer allow users to use the platform’s SMS 2FA to secure their accounts, unless they purchased a Twitter Blue subscription by March 20—effectively paywalling a basic security feature.

Musk blamed the change on fraud, saying telecoms around the world collectively defraud Twitter $60 million a year with spam SMS requests. The reaction wasn’t pretty—as BuzzFeed reported, most users who weighed in on the matter on Twitter were frustrated by the change. Twitter has struggled since Musk took over the site in 2022, and the removal of SMS 2FA struck some as a “desperate” move to raise revenue by making free users’ experience worse.

Subscription-free Twitter users, however, will still be able to use third-party authenticator apps or physical security keys as 2FA methods to secure their accounts. While any type of 2FA is preferable to using a password alone, other methods are considered more secure than SMS, which is vulnerable to SIM-swapping and eavesdropping. Experts who spoke with IT Brew disagreed on whether the move would prove harmful, though all took Musk at his word that the primary motivation for the switch was financial.

Vittorio Bertocci, chief architect at Okta, told IT Brew that the infrastructure necessary to run SMS 2FA can be complicated, as it’s a “multi-party affair” involving the customer, the identity management provider, and SMS/mobile operators across the planet. Billing is particularly thorny, he said, as factors like the cost of each text or who is responsible for preventing fraud depend on contractual specifics and the location of each party.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

“When you try to make [security] arguments to middle management, things like phishing resistance, it doesn’t always resonate, especially if they haven’t been hit by some significant incident,” Bertocci said. “But absolutely everyone is sensitive to the money argument.”

Twitter’s most recent account security report, dated July 2022, shows very low adoption of 2FA among users in general. Just 2.6% of users had some kind of 2FA method enabled, and of those, 74.4% used SMS authentication. Just 28.9% of those users with 2FA used an authenticator app, and 0.5% used physical security keys.

It’s likely many Twitter users will simply disable SMS 2FA without bothering to switch to another method, Bertocci added. “Users are lazy,” he said. “And users are not interested in the details. We’re not savoring the experience of authentication. We just want to see the tweets.”

Andy Thompson, identity security firm CyberArk’s offensive cybersecurity research evangelist, told IT Brew that he expects other firms to follow suit due to the high cost of and relatively poor security offered by SMS 2FA. He noted the National Institute of Standards and Technology (NIST) recommended deprecating SMS 2FA all the way back in 2016.

“This is just the first of many dominoes to come,” Thompson predicted. “This is unfortunate that Twitter is dealing with the media blowback, but I believe that we will eventually deprecate SMS to the point where this will no longer be used at all.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.