Starting next month, Twitter says only paid Twitter Blue subscribers will be able to use text messages as a two-factor authentication method. Free users with the setting already enabled have until March 20 to switch to a different method.
Two-factor authentication, also known as 2FA, helps protect accounts by adding an additional verification step to the login process. For instance, instead of just typing in your password, a website could ask you to enter a code it has texted to you.
"While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors," Twitter said in a Wednesday blog post announcing the change. "So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers."
Twitter said two other 2FA methods, authentication apps and security keys, will still be available for all users. According to technology news website CNET, authentication apps are a more secure 2FA method than text messages, keeping out hackers who port phone numbers to new devices in a move called "SIM swapping."
However, according to Twitter's public transparency data, those methods are less popular. Only 2.6% of active accounts had at least one 2FA method from July 2021 through December 2021, the site's most recent reporting period. Nearly 75% of those accounts were using text message-based 2FA.
SocialProof Security CEO Rachel Tobac pointed out the data Friday, writing that app-based 2FA is still new to many people.
"SMS 2FA is all they know, and very few people know *that* at all!" Tobac wrote on Twitter. "Remember, only 2.6% are enrolled in 2FA at all! In security bubble, (multi-factor authentication) seems obvious but to everyday folks it’s still confusing."
Twitter's official blog post didn't clarify how "bad actors" had abused text message 2FA. However, company owner Elon Musk responded "Yup" to a user tweet alleging that Twitter was changing the policy "because Telcos Used Bot Accounts to Pump 2FA SMS,” and that the company was losing millions of dollars a year "on scam SMS.”
The social media platform launched Twitter Blue, a subscriber service granting blue "verification" checks and other perks for a monthly fee, after Musk bought the company last year.