Twitter's text-based two-factor authentication becomes a paid-only feature

AppleInsider

Twitter is going to make text-based two-factor authentication a feature of the Twitter Blue subscription, a change that can affect the security of millions of users.

Twitter's logo

In a company blog post from Wednesday that was highlighted by the micro-blogging service in a Friday tweet, Twitter is changing how it handles two-factor authentication. Specifically, that one method will be limited only to paid users.

Securing the account is usually handled by three two-factor authentication systems, consisting of text messages, using an authentication app, or a security key. While the latter two will be staying as they are, the SMS authentication option is being turned into a benefit for Twitter Blue subscribers.

In a blog post, Twitter cites how text-based 2FA can "be used - and abused - by bad actors," and that as of Wednesday, it isn't allowing accounts to enroll in SMS 2FA, unless they are Twitter Blue subscribers.

For existing SMS-based 2FA users who aren't using Twitter Blue, they will have until March 20 to disable it and to use one of the other methods. After March 20, non-Twitter Blue subscribers won't be able to use text-based 2FA, with such accounts having 2FA disabled automatically.

"We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead," writes Twitter. "These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure."

The removal of text-based two-factor authentication is the latest policy change for Twitter in its months-long management by Elon Musk. Other changes have included increasing the character limit on Twitter Blue to 4,000, attempts to introduce a new paid API, and a temporary blocking of links to other social platforms.

Read on AppleInsider

ranson

This is an interesting choice with somewhat dubious reasoning: pay us $8 for the continuing privilege of using the least secure MFA mechanism.

Most likely, the SMS's were too costly for Elon's liking, while Authenticator apps are both more secure and effectively free for Twitter to support. So from a financial perspective, it makes a lot of sense. From a security posture, forcing users off of SMS and over to an Authenticator app is a good long-term decision.

However, the outright disabling of nonconforming users' existing SMS MFA on March 20 is a terrible idea, as it will expose what is likely millions and millions of accounts to being compromised, should their passwords have been previously harvested. This will particularly impact users who rarely access Twitter anymore, if at all. A better approach here would be to retain the SMS MFA on those users indefinitely, but require them to explicitly disable MFA or switch to an Authenticator app the next time they access Twitter after 3/20. You should never just turn someone's MFA off without their explicit approval.

dewme

ranson said:

This is an interesting choice with somewhat dubious reasoning: pay us $8 for the continuing privilege of using the least secure MFA mechanism.

Most likely, the SMS's were too costly for Elon's liking, while Authenticator apps are both more secure and effectively free for Twitter to support. So from a financial perspective, it makes a lot of sense. From a security posture, forcing users off of SMS and over to an Authenticator app is a good long-term decision.

However, the outright disabling of nonconforming users' existing SMS MFA on March 20 is a terrible idea, as it will expose what is likely millions and millions of accounts to being compromised, should their passwords have been previously harvested. This will particularly impact users who rarely access Twitter anymore, if at all. A better approach here would be to retain the SMS MFA on those users indefinitely, but require them to explicitly disable MFA or switch to an Authenticator app the next time they access Twitter after 3/20. You should never just turn someone's MFA off without their explicit approval.

I suppose they could have provided an incentive for people to abandon the SMS method like some service providers do for paperless billing. That would be the carrot option. Instead they chose the stick. 

Whatever…

mark fearing

Let Twitter die. Long goodbyes aren't good for anyone. 

22july2013

ranson said:

You should never just turn someone's MFA off without their explicit approval.

Usually I'm a "let the market decide" person rather than "regulate with new laws" person, but perhaps it should be illegal to go from 1FA to ZeroFA, so maybe it should also be illegal to go from 2FA to 1FA.

Anilu_777

Twitter doesn’t seem to know its a$$ from a hole in the ground. I’m using it less and less and this mess continues. 

clemynx

22july2013 said:

ranson said:

You should never just turn someone's MFA off without their explicit approval.

Usually I'm a "let the market decide" person rather than "regulate with new laws" person, but perhaps it should be illegal to go from 1FA to ZeroFA, so maybe it should also be illegal to go from 2FA to 1FA.

Sorry, just coming here to say that I find crazy that after all the horrible things the market has freely decided in the past century and the countless proof that regulation is what made everything better for consumers, people still say “let the market decide”. It can only be  brainwashing at this point. I don’t plan on starting a debate and won’t answer on this subject, but I really had to say it, it’s so nonsensical. 

VirgilBoy99

ranson said:

This is an interesting choice with somewhat dubious reasoning: pay us $8 for the continuing privilege of using the least secure MFA mechanism.

Most likely, the SMS's were too costly for Elon's liking, while Authenticator apps are both more secure and effectively free for Twitter to support. So from a financial perspective, it makes a lot of sense. From a security posture, forcing users off of SMS and over to an Authenticator app is a good long-term decision.

However, the outright disabling of nonconforming users' existing SMS MFA on March 20 is a terrible idea, as it will expose what is likely millions and millions of accounts to being compromised, should their passwords have been previously harvested. This will particularly impact users who rarely access Twitter anymore, if at all. A better approach here would be to retain the SMS MFA on those users indefinitely, but require them to explicitly disable MFA or switch to an Authenticator app the next time they access Twitter after 3/20. You should never just turn someone's MFA off without their explicit approval.

Your first sentence hits the nail on the head! What a ridiculous option coming from a “genius” 

williamh

clemynx said:

22july2013 said:

ranson said:

You should never just turn someone's MFA off without their explicit approval.

Usually I'm a "let the market decide" person rather than "regulate with new laws" person, but perhaps it should be illegal to go from 1FA to ZeroFA, so maybe it should also be illegal to go from 2FA to 1FA.

Sorry, just coming here to say that I find crazy that after all the horrible things the market has freely decided in the past century and the countless proof that regulation is what made everything better for consumers, people still say “let the market decide”. It can only be  brainwashing at this point. I don’t plan on starting a debate and won’t answer on this subject, but I really had to say it, it’s so nonsensical. 

Go ahead and don't answer.  There's a place for regulation but more regulation does not equal more better.  After all the horrible things that fascists like yourself have imposed on unfree people in the past century, only a brainwashed person could still think it's a good idea.   Clearly it wasn't regulation that resulted in all the innovations that have benefited everyone in the last century.

Stabitha_Christie

williamh said:

clemynx said:

22july2013 said:

ranson said:

You should never just turn someone's MFA off without their explicit approval.

Usually I'm a "let the market decide" person rather than "regulate with new laws" person, but perhaps it should be illegal to go from 1FA to ZeroFA, so maybe it should also be illegal to go from 2FA to 1FA.

Sorry, just coming here to say that I find crazy that after all the horrible things the market has freely decided in the past century and the countless proof that regulation is what made everything better for consumers, people still say “let the market decide”. It can only be  brainwashing at this point. I don’t plan on starting a debate and won’t answer on this subject, but I really had to say it, it’s so nonsensical. 

Go ahead and don't answer.  There's a place for regulation but more regulation does not equal more better.  After all the horrible things that fascists like yourself have imposed on unfree people in the past century, only a brainwashed person could still think it's a good idea.   Clearly it wasn't regulation that resulted in all the innovations that have benefited everyone in the last century.

Fascists? You really went straight to fascism? You either don't know what the work means or you are a moron drawn to hyperbole..... maybe both 

ilarynx

williamh said:

clemynx said:

22july2013 said:

ranson said:

You should never just turn someone's MFA off without their explicit approval.

Usually I'm a "let the market decide" person rather than "regulate with new laws" person, but perhaps it should be illegal to go from 1FA to ZeroFA, so maybe it should also be illegal to go from 2FA to 1FA.

Sorry, just coming here to say that I find crazy that after all the horrible things the market has freely decided in the past century and the countless proof that regulation is what made everything better for consumers, people still say “let the market decide”. It can only be  brainwashing at this point. I don’t plan on starting a debate and won’t answer on this subject, but I really had to say it, it’s so nonsensical. 

Go ahead and don't answer.  There's a place for regulation but more regulation does not equal more better.  After all the horrible things that fascists like yourself have imposed on unfree people in the past century, only a brainwashed person could still think it's a good idea.   Clearly it wasn't regulation that resulted in all the innovations that have benefited everyone in the last century.

How many here have enjoyed the benefits of the 40-hour week regulation during some point/s in their carrier?

Regulations are like roads - many people don't really notice them so much when they work well, but only notice the problems with them when they occur (such as a pothole). Roads which themselves are regulated for safety, materials, width, striping, signage, etc., in case you weren't aware. 

How many in Palestine, OH, enjoyed or even noticed the rail safety regulations that were reduced/removed in the past years, until they experienced the results of too little regulation in 2023?

https://www.eesi.org/articles/view/trump-administration-loosening-regulations-for-rail-transportation-of-flammable-natural-gas

https://www.miamiherald.com/detour/article272528156.html

EAST PALESTINE, OH—Gathering in front of the toxic decimation unfolding as a result of lax safety standards and lack of governmental oversight, Ohio Gov.Mike DeWine (R) held a press conference Thursday to champion the Norfolk Southern train derailment as a deregulation success story. “Ladies and gentlemen, behold, as the results speak for themselves—deregulation works,” said the native Ohioan to grand applause, before acknowledging the decades of hard work it took on both national and local scales to bypass costly red tape and bureaucracy and turn this forgotten part of his state into a thriving chemical wasteland, itself a testament to throwing caution and concern to the wind in favor of removing guardrails and severely underfunding infrastructure...
https://www.theonion.com/officials-champion-ohio-train-derailment-as-deregulatio-1850119896

I admired Steve Jobs, but I don't canonize corporate CEOs the way a lot of people seem to do these days. YMMV

StrangeDays

Dooofus said:

Yes. Because Twitter is being run like a business now rather than a crusade.

When the owner vows free speech then silences his critics and those who annoy him (ex, Musk jet tracker), it’s absolutely a crusade.

fastasleep

williamh said:

clemynx said:

22july2013 said:

ranson said:

You should never just turn someone's MFA off without their explicit approval.

Usually I'm a "let the market decide" person rather than "regulate with new laws" person, but perhaps it should be illegal to go from 1FA to ZeroFA, so maybe it should also be illegal to go from 2FA to 1FA.

Sorry, just coming here to say that I find crazy that after all the horrible things the market has freely decided in the past century and the countless proof that regulation is what made everything better for consumers, people still say “let the market decide”. It can only be  brainwashing at this point. I don’t plan on starting a debate and won’t answer on this subject, but I really had to say it, it’s so nonsensical. 

Go ahead and don't answer.  There's a place for regulation but more regulation does not equal more better.  After all the horrible things that fascists like yourself have imposed on unfree people in the past century, only a brainwashed person could still think it's a good idea.   Clearly it wasn't regulation that resulted in all the innovations that have benefited everyone in the last century.

LOL yeah okay sure. Go ask the free people of East Palestine what they think.

fastasleep

Another own goal by brainiac boy genius Musk that will clearly make Twitter into his magic cash cow and not a wasteland of hacked accounts and ensuing spam, scams, and other garbage that plagues declining web communities. RIP, Twitter and Musk's many billions he'll bleed over this ill-planned trolling-turned-takeover.

freeassociate2

williamh said:

clemynx said:

22july2013 said:

ranson said:

You should never just turn someone's MFA off without their explicit approval.

Usually I'm a "let the market decide" person rather than "regulate with new laws" person, but perhaps it should be illegal to go from 1FA to ZeroFA, so maybe it should also be illegal to go from 2FA to 1FA.

Sorry, just coming here to say that I find crazy that after all the horrible things the market has freely decided in the past century and the countless proof that regulation is what made everything better for consumers, people still say “let the market decide”. It can only be  brainwashing at this point. I don’t plan on starting a debate and won’t answer on this subject, but I really had to say it, it’s so nonsensical. 

Go ahead and don't answer.  There's a place for regulation but more regulation does not equal more better.  After all the horrible things that fascists like yourself have imposed on unfree people in the past century, only a brainwashed person could still think it's a good idea.   Clearly it wasn't regulation that resulted in all the innovations that have benefited everyone in the last century.

Maybe do some historical research instead of spouting weird nonesense? A lot of the innovations you’re touting came from cooperative research between PUBLIC and private entities, which are regulated as fuck. Before that? Rampant theft from patent holders, mostly from Britain. The U.S., before China, was the place to go if you wanted to steal IP and not get prosecuted. So while there may have been innovation, it was largely based on theft. That and hucksterism — Bell wasn’t alone in being a thief and a bully. (There’s a dissertation’s worth of evidence that innovative ideas and inventions were stolen wholesale from immigrants, America’s non-white population, women, and “the little guy”.) Regulations that followed made it harder for that kind of theft.

And then there’s the standards groups that allowed for a great deal of innovation — even if it’s self-regulation, it’s still regulations.

Also, “fascist”, really? Take a Xanax there buddy. After that look up the definition of fascist and maybe do a little reading from bonafide experts about what constitutes fascism. Conservative mouthpieces don’t qualify.