Twitter Has Done Away With Free SMS Two-Factor Authentication. Here’s What Users Can Do To Protect Their Data

With all the debate surrounding Twitter’s validity as a social media platform and information sharing, the application still has a few redeeming qualities, ones that I personally experience every day as part of the work I do here at CCW Digital. As a reporter, Twitter is my go-to source on connecting with fellow journalists, sources for stories and even job opportunities. In fact, well before we used Twitter the way we do now in the news industry, I secured my first full-time job out of college by reaching out to another journalist I admire in a Twitter DM.

Over the years, I’ve watched the platform progress from a social stream of consciousness to a more structured organization focused on quality control and funneling information–or at least that’s what it’s tried to be at times. More recently Twitter has become a polarizing and quickly monetized digital landscape, where individuals and companies are at odds with each other in terms of what the future holds. Users, investors and even its owner Elon Musk are in constant debate about Twitter’s use case, its security and its value. In theory, the company should be more valuable than it’s ever been, thanks to its subscription model. But the reality of Twitter these days is that it’s brittle, fickle and technologically challenged–in fact, the website was down as I wrote this.

While I do not pay for Twitter Blue (even though I’ve been aiming to verify my account for quite some time pre-Musk)--and with tech problems abound–I still use Twitter as a free tool for news sharing, ideating and networking as I work to weigh my options in terms of where my digital communication should go. Imagine my surprise last Friday when I logged on to share my latest piece for CCW Digital and saw this:

Immediately I had cause for concern: two-factor authentication (2FA) is another layer of security that websites offer users to avoid password hacking, guessing or phishing. Even if someone could guess my password, if they don’t get a text/email to an additional device with a six digit code to re-confirm their login attempt, it’s useless. Ideally only I have the ability to confirm whether or not a login or password change was my own doing by providing the code delivered to me following a login attempt, or alerting a website that the activity isn’t mine.

While it was announced last month that Twitter would be rolling out paid SMS 2FA soon, the website notes that the change would go into effect on March 20, 2023. My time already? It hadn’t even been two weeks since that news circulated online by the time my 2FA got the Elon ax. Paying for adding security measures is, well, out of pocket for Twitter as I knew it. The announcement itself was quick, jarring and promptly deployed with little opportunity for users to consider alternatives to being immediately forced to abandon account authentication if they want to keep tweeting–even for free. But for Twitter as it is, the change is an understandable business move: as the company appears to lose credibility and the ability to attract users, opting to incentivize Twitter by making SMS 2FA only available to Twitter Blue subscribers is one way to capitalize on its use case.

However, convincing users to pay for a service that has always been free will continue to be an uphill battle. “I logged onto Twitter and was greeted with a notification that said only Twitter Blue subscribers can use two factor authentication. Imagine being so bad at business you make people pay for standard security practices that are free everywhere,” posted one Twitter user in response to the change. “Will never pay.” imagine putting two factor authentication behind a paywall??? and then making it personal responsibility to remove it, which it won’t actually let me do,” echoed another user. “make it make sense.”

In an era of changing customer expectations and increased customer dissatisfaction, attracting users and turning them into paying consumers requires companies to make internal and external changes, not all of which will please current customers. Objections to change by current users become a warning sign for potential new customers, and in the end the aim of converting users into paying customers becomes useless. Negative news of product changes precedes the opportunity to try a new concept, as is the case with Twitter.

How organizations communicate that change directly impacts how customers will respond to it. Announcing changes in a way that is abrupt or vague can appear to customers as dismissive of their interests. Their trust in a given brand or organization grows when they feel that their needs, requests and even the way they use a product are considered as the brand itself grows. When modifications or adaptations are made without proper–or even clear–communication on how it impacts the user experience, it creates doubt and even anger on the part of the customer. Where they once felt that something was designed for them, they now feel that it was designed without them. 

Twitter is trying hard to elevate that doubt, responding to objections with highlights of what a paid subscription can do to elevate the user experience. Pay-to-use SMS 2FA sounds unappealing and perhaps even counterintuitive to data security, but users who opt-in to Twitter Blue gain access to additional features that customers have long been requesting, such as Tweet editing and longform video posting. Additionally, every Twitter Blue user receives that long-coveted blue verification check mark. Despite what else comes along with paying for SMS 2FA, it still comes off to users as a desperate way to push Twitter Blue subscriptions: pay or lose something you took for granted. Considering that other online platforms offer these features without a price point–2FA included–and the credibility of Twitter verification isn’t what it used to be, it seems that even those “perks” don’t supersede the desire to ditch the Twittersphere all together.

Even so, there could still be a saving grace down the line when it comes to Twitter’s data security money grab: the company raises some valid points on whether or not 2FA via SMS is the most secure step in ensuring password protection. A simple SIM card swap on a mobile device could make an attempt to authenticate an account null and void–it’s something that’s actually happened to Jack Dorsey. Text messages aren’t encrypted and are susceptible to hackers and scammers, not to mention being costly. “Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages,” Elon Musk tweeted in a response to the authentication announcement by the company. Perhaps if Twitter had introduced the end to SMS 2FA with an explanation of why the company saw the change as necessary, as well as its benefit to customers, then the backlash the brand is currently experiencing might be less so. Sharing insight with users on how account authentication can be improved and noting that without the cost of SMS 2FA organizations could better fund product development would make customers feel knowledgeable about and included in the decision making process.

When it comes to decision making, Musk’s social media company isn’t the only one to adopt a paid subscription services–Discord, Reddit and YouTube already have similar models, and in recent days Meta announced that it too would be bringing on a pay-to-verify service across Facebook and Instagram by first establishing that it will beta test the features. While easing into the idea is something that many organizations are doing to offset the drop in digital subscription services following the end of pandemic lockdowns, Elon Musk is making sure that Twitter keeps true to the quick moving style of leadership seen in everything from hiring and firing to technology development. When it comes to the decision to make SMS 2FA a paid feature at Twitter a beta test, for Musk, is out of the question.

With the chance to opt in–or out–of paid SMS 2FA by choice rather than by force, Twitter users have once again been caught off guard by Elon Musk. And as complaints regarding the organization’s structure continue, customers keep butting heads with the company for a variety of reasons, among them legal: “Reminder: Elon Musk wants you to turn off text two-factor authentication on your account so that it's less secure because you are not paying him, or he will lock your account,” suggests one Twitter user on the issue of authentication. “This is going to lead to class action suits when people get hacked and have damages, but whatever.”

Naturally, my first move after receiving the SMS 2FA notification was also to head to the Twitter-verse and ask my fellow journalists what their new plan of action is now that two-factor authentication has become a paid-for perk, as opposed to a critical component of cybersecurity. Some who anticipated this security change have already moved to Mastodon, others are dedicating themselves to LinkedIn, and others still shared some advice on how to work around paying $8 a month for Twitter Blue. So this week, I’ll be looking at my options and sharing some of them with you:

• Third party authenticator applications: Similar to how Twitter would prompt a login code delivery to your mobile device, a free downloadable application can do the same, by opting to connect one to your Twitter account. These apps generate a six-to-eight digit code for you to type in within a given timeframe. Companies across the web, including Coinbase and Screeners.com, have already built these into their standard security process.
• Security keys: Purchasing this piece of hardware is one of the most secure ways to authenticate an account. The security key plugs into your computer when logging in or connecting to your phone.
• Password managers: Web features that allow you to save and keep track of your login information across sites and apps are one way to manage your digital accounts. They work best when, as is commonly recommended, you diversify your password across accounts using characters and topics that are not easily guessed. That way, you can encrypt and keep track of the advanced passwords that you only use for one service. A diverse password rolodex is harder to hack, and may allow you to feel safe not using 2FA.

Of course–each of the above options comes with its own risk. All information shared online is in some way vulnerable to hacking, phishing, and scamming. Just as Twitter has its own internal struggles with security and password protection, the companies and individuals creating these security measures are faced with similar obstacles as well. The age-old advice of diversifying and changing passwords regularly, as well as monitoring the information and accessibility that websites and applications have to your digital data, will continue to serve as a buffer against cybercrime.

Photo by Joshua Hoehne on Unsplash