Being on Twitter under Elon Musk is like driving on a street riddled with potholes—it’s bumpy as hell. At best, the changes have been eye-rolling, like how Musk forced himself into everyone’s feeds this week. Something he had to ask other human beings to do for him, because he apparently has same temperament and self-esteem as a six-year-old. At worst, the changes can endanger the safety and security of its users, such as letting floods of account banned for hate speech and misinformation back onto the site, or getting rid of Twitter’s internal Trust And Safety Council. (Because who needs safety, really?) A surprise announcement from Twitter over the weekend joins these two trends in wondrous harmony.
On Saturday, Twitter users started to get a message. “You must remove text message-two factor authentication,” the message said in bold lettering. It continues, “Only Twitter Blue subscribers can use the text message two-factor authentication method.” Users have until March 20, 2023 to remove the authentication method before Twitter automatically removes it for them.
Long story short: starting next month, Twitter is charging its users for basic (and I mean basic) account security.
Two-factor what for members of who?
Twitter Blue is the paid subscription of Twitter. It actually launched in 2021, pre-Elon, but almost no one noticed. Once Musk became CEO of Twitter, he raised the price of the “service”— it’s now $8/month for desktop users, $11/month for Android and iOS. To try to make this fee seem worthwhile, Musk started arbitrarily adding perks to Twitter Blue. These adventures have not gone as planned. The best and most incredible example involved a convincing impersonator for pharmaceutical company Eli Lily tanking the company’s stock value with a single Tweet about free insulin.
Meanwhile SMS two-factor authentication is what happens 98% of the time you try to log into, say, your Apple account on your desktop. In order to verify your identity and prevent your account from getting stolen, the website sends a text message with a code to your phone. You can only use your account after you type the code back into your browser.
Two-factor authentication (also known as 2FA) is considered a very basic staple of account security. As Slate points out, this is the first time a major tech company has disabled 2FA and replaced it with absolutely nothing. It’s especially notable since this, again, basic form of account security will now be behind a paywall.
Now, you might be saying to yourself, “Wait…I know these notifications, but I’ve never gotten them for Twitter.” Here’s the kicker. As pointed out by self-described “hacker” Rachel Tobac, only 2.6% of Twitter uses have 2FA turned on. There are actually multiple versions of 2FA. Of that 2.6%, 74.4% receive their authentication through text messages. Most others use an authentication app (a smartphone app which generates its own security codes) or an actual, physical security key.
So getting 2FA removed from Twitter’s essential services is kind of just barely staving off a headache for ages and suddenly finding out that your friend had Ibuprofen all along. Except, they will now charge you $8 for it. We all definitely should have had this automatically turned on. The blame for that lies in Twitter’s previous leadership as well. But it’s something we should just be able to have, not pay for.
The issues with 2FA
I’ve been saying for a while now that SMS 2FA is the most basic form of account security. While it’s better than having nothing in place at all, SMS 2FA specifically offers quite weak security. There is a simple, common hack called a “SIM swap” which easy circumvents SMS 2FA. In a SIM swap, a scammer convinces your mobile phone company to put your number on their SIM card. It involves more effort than I can fathom, but this somehow works. Often. It even happened to Twitter founder Jack Dorsey.
Twitter’s currently making it seem like this security concern is why they’re getting rid of 2FA. Of course, it’s actually about money. Reportedly, Twitter lost $60 million in a single year to 2FA texts to scammers. This is undeniably unfortunate, and we all know how badly Musk wants to make Twitter more profitable. Musk even replied to this report with a single “yup.”
Twitter has said that non-Twitter Blue members can still utilize alternate versions of 2FA—authentication apps and security keys—to keep their accounts secure. But there are issues with forcing these methods as the only option. Those risks are especially profound in authoritarian countries, where Twitter is often a vital method for spreading information anonymously. NPR points out that, just like any other app, an authentication app can be blocked, banned, or criminalized by a government. Furthermore, Twitter Blue is only available in a handful of countries at the moment. That means many users won’t even have the option to pay into SMS 2FA.
As for physical security keys—they run from $30 to $85. That puts us right back to the issue of having to pay out-of-pocket for what, on almost every other website, is deemed basic security.
And so, Musk and Twitter have come under fire yet again. But who knows. Like so many of the failed ideas to amplify Twitter Blue, there’s a chance that this policy, too, could be quietly discarded.
(Featured image: Dimitrios Kambouris, Getty Images for The Met Museum / Vogue)
