Twitter is Making Text-Based Two-Factor Authentication a Paid Feature Twitter has announced

Twitter is Making Text-Based Two-Factor Authentication a Paid Feature

Twitter has announced the addition of text-based two-factor authentication as a paid feature for those who want to keep their account secure. This security measure prevents unauthorized access to accounts by sending a code via SMS or app directly to the user's smartphone.

Twitter's move comes amid increasing scrutiny and whistleblower complaints about how it protects users' data. The company said they made their decision after witnessing "phone-number based 2FA being misused - and abused" by bad actors.

Twitter Blue users will be the only ones able to use text-based 2FA

Twitter has announced that text-based two-factor authentication will become a paid feature available only to its Blue subscribers. The change was made after the company observed how phone-number based 2FA had been "used and abused" by malicious actors, according to an official blog post.

Twitter announced a security measure this past March 2023 in response to user concerns. As of that date, only those registered as Twitter Blue can use text-based 2FA; those currently enrolled in text-based 2FA have 30 days to disable their enrollment and switch to another type of authentication.

Twitter's blog states that SMS-based two-factor authentication is a popular security measure but has been misused in the past by bad actors. This method requires someone to create a one-time password using their mobile device, which could then be hacked through various methods like SIM hacking -- allowing someone else to access your account using the number on your phone.

However, the blog also noted that SMS-based 2FA is not the most secure method to protect your account. Instead, Twitter suggests users consider other security options like an authenticator app or security key which require physical possession and are more reliable in protecting accounts.

Twitter is also encouraging its users to sign up for its $8 per month Twitter Blue subscription-based service, which adds a blue check mark next to your username. Mr Musk hopes the blue check mark will prompt people to verify their accounts, helping prevent fake ones from appearing on the platform.

Mr Musk introduced the blue check mark as a premium feature in December to increase subscriptions and help the company get out of financial distress. It now costs a monthly fee, with access to features such as Edit Tweet, 1080p video uploads, reader mode and 4,000 character tweets.

Before December 2018, only verified accounts belonging to celebrities, politicians and journalists could access the blue check mark feature. But since its relaunch, anyone willing to pay for it has had access; Mr Musk claims the company lost $4 million per day because of this premium service.

The move comes as Twitter faces increased scrutiny and whistleblower complaints

Twitter has announced the addition of text-based two-factor authentication as a paid feature for those not subscribed to its Twitter Blue subscription service. This move comes amid increased scrutiny and whistleblower complaints over the company's lack of security measures.

Two-factor authentication is a security measure that allows users to log into their accounts by entering their password and receiving an authentication code through text message, authenticator app or security key. It has become increasingly popular on internet services due to its extra layer of protection for user data.

Recently, Twitter revealed that close to 2.6 percent of their members use SMS-based two factor authentication on their accounts. While this convenience has likely been used and abused by bad actors, the company now claims this practice has become widespread.

Twitter will soon require non-Blue users to disable their SMS-based 2FA systems by March 2023 in a move designed to increase subscribers to its Twitter Blue service, which costs $8 a month for web subscribers and $11 for iOS device owners.

Twitter has come under increasing scrutiny from regulators and lawmakers over security, misinformation, and bot issues. A former employee, Peiter "Mudge" Zatko, filed a complaint alleging too much access to his accounts by Twitter - in violation of an 11-year settlement with the Federal Trade Commission (FTC).

Zatko's complaint to the FTC and SEC alleges Twitter has misled investors and regulators about its security practices, underreported fake and bot accounts on its platform, and granted at least one foreign government unfettered access to user data. Furthermore, Zatko contends Twitter violated regional privacy laws by failing to separate cookie functions and deploy them in accordance with international data regulations.

Zatko's complaint comes only months after another whistleblower filed a similar grievance with the FTC and SEC. This time, they claim Twitter's data protection measures violate both European Union's General Data Protection Regulations as well as those of their national data protection watchdogs. Under this regulation, companies are required to keep users' personal information private.

Text-based 2FA has been “used and abused” by bad actors

Twitter CEO Elon Musk recently announced the company will make text-based two-factor authentication a paid feature starting March 20, according to their tweet on Friday. As part of efforts to create a safer platform, only Twitter Blue subscribers will have access to this authentication method after March 20.

SMS-based 2FA may seem secure at first glance, but it may not be as safe as some may think. In fact, the National Institute of Standards and Technology issued a formal recommendation against it back in 2016.

SMS-based 2FA has security risks due to its dependence on password verification. That's why many leading tech companies have abandoned this method in favor of app- and device-based 2FA solutions.

Software-based 2FA is a safer alternative to SMS-based authentication, since it doesn't rely on the phone network for validation. Instead, it generates one-time codes through a mobile app.

RSA now offers their SecurID authenticator as an app that works across devices and platforms. These applications generate token codes based on data from your smartphone and send them directly to your mobile phone for authentication confirmation.

However, these apps do possess vulnerabilities of their own; they can be compromised by malicious actors wishing to gain access to your account. These attacks, known as PUSHes, have become more frequent in recent years due to PUSH attacks.

Hackers frequently employ the technique known as social engineering to manipulate users into providing their codes or login details. This may involve both phishing and text messaging, and it may be combined with other attacks.

Spoofing SMS messages, or sending them from another person's phone or with a cloned SIM card, is extremely easy and could be an effective tool in the hands of an experienced hacker. That is why businesses should adopt stronger forms of 2FA that don't rely on phone networks or SMS for protection.

No matter which option you opt for, a strong password policy is always the most reliable way to safeguard your account and data. It's never too late to improve your cyber hygiene and fortify yourself against online threats.

Text-based 2FA will be disabled for non-Blue users by March 2023

Twitter has announced that text-based two-factor authentication will only be available for subscribers to Twitter Blue, and non-subscribers must disable it before March 2023 or opt for another method of 2FA. According to the company, this move is designed to weed out "bad actors" and safeguard users' accounts.

Twitter recently issued a blog post outlining their decision that only paid Blue users can utilize text messages as their 2FA method. Non-Blue users already enrolled in the service have 30 days to disable text message 2FA and switch to another method; after this deadline has elapsed, any Twitter accounts still using text message 2FA will be automatically deactivated.

SMS-based two factor authentication (2FA) has become a widely used method for account authentication, yet it may not be the most secure solution to protect sensitive data. This is because hackers can easily intercept and spoof SMS messages sent by online services, leading to potential data breaches.

There are more secure methods to protect your online data, such as IP-based authentication. This type of verification checks the user's IP address and can be combined with other methods for extra protection against malicious IP addresses or ranges that have previously been compromised. It's an ideal option for blocking access from specific IP addresses that have been known to be malicious or compromised previously.

SMS-based 2FA remains a popular form of authentication, especially among businesses and government agencies due to its ease of setting up and wide availability of mobile phones with SMS messenger apps.

But the SMS system in which these codes are sent is vulnerable, lacking end-to-end encryption. Hackers can spoof or intercept SMS messages, redirect them to a virtual phone number or even alter their destination in their own network.

This poses a grave problem, as it leaves the door wide open for anyone to take control of your account with the code sent via SMS. Not only is SMS-based 2FA vulnerable, but email as well.

There are more secure methods of 2FA available, such as hardware tokens and biometrics. These require a physical device which may be difficult to steal or replace, making them much safer than text-based methods and providing better protection against unauthorized access. Furthermore, these measures offer additional assurance when the user forgets their password.