Twitter has announced that it will be removing a popular method of two-factor authentication (2FA) for non-paying customers, a move that could potentially put accounts at risk of attack and undermine the security of the platform as a whole. 2FA adds an extra layer of security beyond password protection, and is designed to guard against weak passwords that can be easily guessed by hackers, or password details that can be stolen through phishing attacks. However, Twitter has decided to remove the feature for non-paying customers from March 20th, leaving them vulnerable to attack unless they set up an alternative form of 2FA.
The decision has been widely criticized, with many experts suggesting that two-factor authentication should not be behind a paywall. “Especially not the most introductory level of two factor that we find most everyday users employing,” said Rachel Tobac, CEO of security awareness organization SocialProof Security.
Despite the removal of text-based authentication for non-paying customers, there are still options to keep accounts secure. Under security and account access settings, users can change to “authentication app” or “security key” as their preferred method of 2FA. Authentication apps like Duo, Authy, Google Authenticator, and the 2FA authenticator built into iPhones send a notification or generate a token that will grant access to the Twitter account after typing in a six-digit code. Security keys require an extra step to access an account, and are a hardware-based option that confirms identity by plugging into a computer or connecting wirelessly. Brands include Yubikey, Thetis, and more.
Putting any 2FA behind a paywall makes it more inaccessible for users, especially if the version put behind the paywall is as widely used as text-based authentication. Fewer people may be inclined to set it up, or they may be ignoring the pop-ups from Twitter to update their accounts so that they can get back to tweeting. This may result in more compromised accounts, and consequently make Twitter a less secure platform with more potential for attacks and impersonation.
The controversial decision comes after a privacy and security exodus at Twitter last fall, which included layoffs and the departure of high-level officials like former chief information security officer Lea Kissner and former head of integrity and safety Yoel Roth. Twitter CEO Elon Musk has implied that paywalling text-message based 2FA would save the company money.
