Twitter will limit uses of SMS 2-factor authentication. What does this mean for users?

Only users who pay a monthly fee for Twitter's subscription service will get to use text message authentication in order to keep their accounts secure, the social media company says.

Two-factor authentication is not required to be a user on Twitter, but it is a proven and easy way to help keep accounts secure. It makes it so if someone wants to hack into an account they'd have to have the password and access to the account owner's device.

Twitter Blue costs $11 a month on Android and iOS in the U.S. It's $8 a month for web users. Users have 30 days to sign up or they will see their SMS two-factor authentication (2FA) turned off automatically, the company said.

This announced change to the platform is just the latest in a series of decisions causing serious upheaval at the social media company following Elon Musk's takeover last year.

Twitter says the reason for this move is due to phone number-based two-factor authentication being "abused by bad actors." But the planned move has riled up many users, concerned about wider implications.

At least one user called the decision "vile" and "disgusting."

The company says "disabling text message 2FA does not automatically disassociate your phone number from your Twitter account," but others say it does put user security at risk.

Another user speculated that Twitter's latest move could "lead to class action suits when people get hacked and have damages."

Evan Greer, director of Fight for the Future, a nonprofit digital rights advocacy group, took to Twitter denouncing the move.

In an email to NPR, she called this decision another one of Musk's "chaotic moves." She has been critical of recent actions by Twitter following Musk's takeover of the company.

"Twitter users should never have been put in this situation. Making changes to something as sensitive as 2 factor authentication, which could mean the difference between someone's physical safety and a stalker, abuser or authoritarian government gaining access to their account, should never be made in such a reckless and poorly thought out manner," Greer said in her email to NPR.

The potential impact for users outside of the U.S.

There also seem to be broader implications for accounts in other parts of the world.

Gavan Reilly, a reporter in Ireland, tweeted that Twitter Blue isn't even available in his country yet, "so there is literally no option to maintain the current choice of security."

Twitter Blue only exists in the U.S, Canada, Australia, New Zealand, Japan, the U.K., Saudi Arabia, France, Germany, Italy, Portugal, Spain, India, Indonesia, and Brazil. The company says it plans to expand it.

Greer said limiting the ways a user can protect their accounts "is also a gift to authoritarian governments."

"Sure, it's nice to tell people to go use an authenticator app, but what if their government blocks that authenticator app, criminalizes its use, or gets it banned from the app store?," she noted.

And there are apps, like Duo, that won't work in certain countries if a user's IP address originates in a region sanctioned by the the U.S., including Cuba, Iran, Syria, and areas in Ukraine controlled by Russian forces.

Users should find alternatives to SMS authentication

Two-factor authentication is "one of the most basic forms of security many people use and have access to," Greer said.

It's considered "better than nothing," but she notes it's actually one of the least secure measures to use. That's "because of a relatively simple attack called a 'sim swap' that has become more and more common."

This is when "an attacker calls your cell phone company pretending to be you and convinces them to transfer your phone number to a new device, then sends the 2 factor authentication code" to themselves, she said.

It's generally recommended by digital security experts to switch over to an authenticator app instead of just relying on a phone number, Greer added.

"For readers looking to protect themselves: even if you do have Twitter Blue you should switch away from using SMS for 2 factor and start using an authenticator app," she said. "There are a number of reputable ones, and some password managers even have them included."

Still, Greer said making 2FA a "luxury feature" for certain subscribers is silly and potentially dangerous.

Greer worries for users who are not tech savvy.

"We know that most users simply stick with defaults or just don't take action if they're confused or unsure," she said. "In practice this could mean that millions of vulnerable Twitter users are suddenly booted off of 2 factor authentication and don't set it back up again."

Copyright 2023 NPR. To see more, visit https://www.npr.org.