2FA Change: Good for Twitter, Good for Twitter’s Users

U2F Hardware Authentication Security Keys. Photo by Tony Webster. Creative Commons Attribution 2.0 Generic license.
U2F Hardware Authentication Security Keys. Photo by Tony Webster. Creative Commons Attribution 2.0 Generic license.

Seldom a day goes by without some new controversy on, or about, Twitter. Elon Musk’s acquisition of the platform worked like a mainline injection of methamphetamine to boost that effect. Consider a February 15 announcement which, even a year ago, would likely have struck most people as boring and technical:

“[S]tarting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. … We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead.”

And, just like that, Twitter users began grabbing for paper bags to hyperventilate into and calling their doctors for panic attack medication prescriptions. Selected tweets:

“Two factor authentication should not be gatekept for people who pay.”

“This is like a landlord charging extra for locks on apartment doors.”

“[R]emoving two factor authentication and making ppl PAY FOR IT?? when it should be offered no matter what (and is on most websites) is beyond messed up.”

Clue#1: Twitter did not remove Two-Factor Authentication.

Clue #2: Twitter is not requiring anyone to pay for Two-Factor Authentication.

You can still use Two-Factor Authentication on Twitter.

You can still use Two-Factor Authentication on Twitter without paying Elon Musk for a Twitter Blue subscription (and, depending on the method you choose, without paying anyone anything).

What you can’t do is use a particular method of Two-Factor Authentication — a method that was, according to Wired magazine as of last November, already “melting down” — on Twitter unless you’re a Twitter Blue subscriber.

You can download a free authentication app for your phone, or you can use a “hardware key” that’s cheap (mine cost less than $20), convenient (plug it into your computer, press the little flashing button on it, and you’re good to go), and works across many sites/platforms (I use mine on, among other sites, Twitter, Facebook, Google, Dropbox, and Microsoft).

Why the change?

To boost Twitter Blue subscriptions? Well, maybe.

Or maybe because, as Musk says, “Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages.”

You probably have an “unlimited voice and text” account for your phone. Twitter doesn’t. It pays for what it uses, and it uses a lot. Some of that money goes to phone company scammers who have bots send bazillions of fake SMS authentication requests and rake in the text messaging fees.

Saving $60 million a year is good for Twitter, whether it increases new revenue from Twitter Blue subscriptions or not.

The added security of using an app or physical key instead of trusting a more vulnerable authentication method is good for you.

And those predisposed to cry over nothingburgers get a new one to cry about.

Everybody wins!

Thomas L. Knapp (Twitter: @thomaslknapp) is director and senior news analyst at the William Lloyd Garrison Center for Libertarian Advocacy Journalism (thegarrisoncenter.org). He lives and works in north central Florida.