Here is Elon Musk’s latest cash-generating idea for Twitter, or at least an attempt to incrementally reduce operating expenses: Next month, the service will restrict access to the simplest form of two-factor authentication — which provides a second layer of security to confirm a user’s login credentials — to Twitter Blue subscribers.
Twitter on Friday announced that as of March 20, 2023, only Twitter Blue subscribers will be able to use text messaging as their two-factor authentication method to verify their username and password when they log in to a new device. Non-subscribers will still be able to enable two-factor authentication (or 2FA in tech lingo) using either an authentication app like Google Authenticator or a physical security key.
If you have text messaging enabled for two-factor authentication on Twitter, and you’re not paying for Twitter Blue, Twitter says on March 20 it will disable the security feature on your account (unless you have switched to another form of 2FA).
Note that Twitter doesn’t require anyone to use two-factor authentication, but it recommends the security step in order to make it harder for someone to hack into your account.
Why the change? Officially, Twitter says it is restricting the text-based two-factor authentication because it has been “abused” by “bad actors” — in other words, it’s somewhat easier to hack than other methods. How restricting text-message 2FA to only paying customers will improve security isn’t exactly clear.
“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors,” Twitter said in an article on its support site. (The new help article is dated Feb. 15, while Twitter publicly announced the change on Friday, Feb. 17.)
But Twitter also is in desperate need of revenue, after Musk assumed $12.5 billion in debt to swing the $44 billion takeover of the social network. Note also that Twitter incurs some cost for sending out 2FA verifications via SMS, which may be another reason it’s moving the feature behind a paywall.
Verifying a Twitter account via SMS text message is the easiest way to use 2FA with the app, since it doesn’t require anything beyond the phone you already have. Setting up 2FA through an authentication app or security key requires you to jump through a few more hoops; Twitter details how to do this on its support site at this link.
Twitter Blue, which includes a blue verified check-mark and will soon be the only way to get the badge, costs $8 per month if purchased via the web and $11 per month on iOS or Android. The company relaunched the program in December with new safeguards designed to prevent impersonators, after Twitter’s first attempt to launch blue check-marks for anyone who subscribed results in widespread confusion. Other perks of Twitter Blue include the ability to edit a tweet within a 30-minute window after they’ve been posted, and prioritization of a subscriber’s replies to tweets that they interact with.
In another initiative aimed at boosting revenue, Twitter plans to start charging companies to maintain the gold check-mark verification badges the company introduced in December, which replaced the blue check-marks for businesses. According to early reports, Twitter will charge $1,000 per month, plus an additional $50 monthly for each affiliated sub-account, for the gold check-mark status.
On Friday evening, Twitter began displaying this warning message to users who have two-factor authentication via SMS enabled: