Twitter Drops SMS-Based Two-Factor Authentication for Unpaying Accounts, Effective March 20 blog.twitter.com

Twitter:

Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another. After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled. […]

Even though this is transparently a cost-saving measure, it may not be the worst idea. SMS-based verification is the least secure of all two-factor authentication methods, and Twitter itself was fined last year by the FTC for using the phone numbers it collected for marketing purposes.

If this change affects you, now seems like a good time to remind you that you may not need a third-party app for verification codes. MacOS and iOS support generating codes in the Passwords section of Settings.

Twitter.com seems very healthy.

Update: Ricky Mondello:

[…] The time and effort it takes for a person to set up what Twitter calls “Authentication apps” stymies their adoption. The fact that hardware security keys cost money naturally limits peoples’ interest in them.

SMS 2FA has documented and frequently-discussed limitations in terms of the security benefits it provides. It can also trip people up in terms of usability, like when people switch phones, or when they can’t receive texts at their phone number, like when they’re on an airplane, or sometimes when they’re traveling internationally.

Despite its limitations, I’ll argue that SMS 2FA is a huge success story in actually reducing the harm caused by weak and reused passwords.

This is a fair argument.

It seems pretty clear Twitter is not abandoning SMS two-factor authentication because is is a less secure method, even though that is how the company is framing it in its announcement. Twitter’s claim that “we have seen phone-number based 2FA be used — and abused — by bad actors” makes little sense as an isolated statement — who cares if “bad actors” protect their accounts with codes sent by SMS? — until you recognize Twitter is actually complaining about how much it costs them to send these texts.