Twitter security settings change a ‘desperate drive’ to save money, experts say

The platform announced over the weekend that it was changing its approach to two-factor authentication.

Martyn Landi
Monday 20 February 2023 10:50 GMT
Twitter will now only allow paying subscribers to its Twitter Blue programme to use a text message to confirm their identity (Andrew Matthews/PA)
Twitter will now only allow paying subscribers to its Twitter Blue programme to use a text message to confirm their identity (Andrew Matthews/PA) (PA Archive)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Twitter’s changes to its user security settings around two-factor authentication are a “desperate drive” to save the company money rather than protect users, a cybersecurity expert has claimed.

Graham Cluley said Twitter’s decision to only allow paying subscribers to its Twitter Blue programme to use a text message to confirm their identity when logging it to the site would leave “many users worse protected”.

Over the weekend, Twitter users began receiving a message telling them that text message-based two-factor authentication (2FA) was being moved into the Twitter Blue subscription – and that anyone who did not want to join the pay monthly subscription must stop using the security feature or lose access to Twitter.

The company said the new policy would take effect on March 20.

Many users will be left worse protected than before

Graham Cluley

Two-factor authentication is a security feature designed to make online accounts more secure as it requires users to confirm who they are using a second log-in method after entering their username and password.

Currently, Twitter users can opt to receive an automatically generated text message containing a code – which is sent to the phone number linked to their account – and use this code to complete their login.

But users have now been sent a message telling them “you must remove text message two-factor authentication”, and have instead been encouraged to choose a different method, such as a physical security key that plugs into a user’s device, or an authentication app.

Mr Cluley said that although it was true that other forms of 2FA were more secure than text messages, Twitter’s approach to the change was questionable.

“Yes, authentication apps and hardware keys are a more secure way to harden your account than SMS-based 2FA… but this is being done by Twitter in a desperate drive to save itself money, NOT to improve the security of its users,” he tweeted in response to the change.

“Many users will be left worse protected than before.”

Other commentators said that while it was better to try to move users away from text message-based 2FA, Twitter’s approach could create confusion among users who were not cybersecurity experts and aware of the different forms of 2FA.

Javvad Malik, lead security awareness advocate at cybersecurity firm KnowBe4 said Twitter’s announcement had given out “mixed messages”.

“On one hand it is a positive move to restrict SMS as a second authentication mechanism because of its weaknesses and the ability of criminals to social engineer users,” he said.

“On the other hand, by making it available to paying Twitter Blue subscribers, it gives the impression that it is a premium security feature, which it is not.

“From a technical perspective, the use of alternative 2FA methods, such as using an authenticator app is more secure than 2FA. But we have an educational issue whereby most people are still not overly familiar with how these options work, or how to enable them.

“Therefore, what we see here is not necessarily a technical security issue – but rather one of usability and education, one where it’s important to architect security controls in a manner that makes the user experience a frictionless one, while at the same time enhancing the security.”

In response, Twitter owner Elon Musk defended the decision by claiming that the platform was “getting scammed by phone companies” for millions of dollars each year through “fake” 2FA text messages.

And in a blog post on the issue, Twitter said: “While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in