Twitter announced plans to pull a popular method of two-factor authentication for non-paying customers last week. Not only could this make your account more vulnerable to attack, but it may even undermine the platform’s security as a whole and set a dangerous precedent for other sites.
Two-factor authentication, or 2FA, adds a layer of security beyond password protection. Weak passwords that are easily guessed by hackers, leaked passwords or phishing attacks that can lure password details out of a user can all lead to unwanted third-party account access.
With 2FA, a user has another guard up. Simply entering a password isn’t enough to gain account access, and instead the user gets a notification via text message, or uses an authenticator app or security key to approve access.
“Two factor authentication shouldn’t be behind a paywall,” Rachel Tobac, CEO of security awareness organization SocialProof Security, told Engadget, “especially not the most introductory level of two factor that we find most everyday users employing.”
Starting March 20, non-subscribers to Twitter will no longer be able to use text message authentication to get into their accounts. The feature will be automatically disabled if users don’t set up another form of 2FA. That puts users who don’t act quickly to update their settings at risk.
If you don’t want to pay $8 to $11 per month for a Twitter Blue subscription, there are still some options to keep your account secure. Under security and account access settings, Twitter users can change to “authentication app” or “security key” as their two-factor authentication method of choice.
Software-based authentication apps like Duo, Authy, Google Authenticator and the 2FA authenticator built into iPhones either send you a notification or, in the case of Twitter, generate a token that will let you complete your login. Instead of just a password, you’ll have to type in the six-digital code you see in the authentication app before it grants access to your Twitter account.
Security keys work in a similar way, requiring an extra step to access an account. It’s a hardware-based option that plugs into your computer or connects wirelessly to confirm your identity. Brands include Yubikey, Thetis, and more.
Security keys are often considered more secure because a hacker would have to physically acquire the device to get in. 2FA methods that require a code to get in, like via text message or authentication app, are phishable, according to Tobac. In other words, hackers can deceive a user into giving up that code in order to get into the account. But hardware like security keys can’t be remotely accessed in the same way.
“Cyber attackers don’t stand next to you when they hack you. They’re hacking you through the phone, email, text message or social media DM,” Tobac said.
Still, putting any 2FA behind a paywall makes it more inaccessible for users, especially if the version put behind the paywall is as widely used as text-based authentication. Fewer people may be inclined to set it up, or they may be ignoring the pop-ups from Twitter to update their accounts so that they can get back to tweeting, Tobac said.
Without 2FA, it’s a lot easier for unauthorized actors to get into your account. More compromised accounts makes Twitter a less secure platform with more potential for attacks and impersonation.
“When it’s easier for us to take over accounts, myths and disinformation increase and bad actors are going to increase on the site because it’s easier to gain access to an account with a large following that you can tweet out whatever you like pretending to be them,” Tobac said.
Twitter CEO Elon Musk implied that paywalling text-message based 2FA would save the company money. The controversial decision comes after a privacy and security exodus at Twitter last fall. In the midst of layoffs, high-level officials like former chief information security officer Lea Kissner and former head of integrity and safety Yoel Roth left the company.