Twitter is ending free SMS two-factor authentication. So what can you use instead?
On the weekend, Twitter announced that from 20 March, people who haven’t subscribed to Twitter Blue will have two-factor authentication via SMS disabled.
Twitter has recommended people use third-party apps or a security key instead, but for the overwhelming majority (74.4%) of the 2.6% of active Twitter users who use SMS as their method of authentication, it will mean they have a month to switch or potentially lose protection.
So what is two-factor authentication and what should you do to secure your social media account?
What is two-factor authentication?
Two-factor authentication (2fa) is a second step once you have logged into an online account with a password to prove you are who you say you are. It is an extra layer of security so if your password is compromised, it will be slightly harder for someone to access your account.
For authenticator apps and SMS two-factor authentication, you are sent or provided with a number or numbers for you to enter back into the website.
Most online services like social media platforms, banks and ones used in workplaces now either require or strongly recommend people use 2fa on their accounts.
Why is Twitter switching away from SMS-based 2fa?
Twitter claims that SMS 2fa has been “used and abused by bad actors”. The company’s owner, Elon Musk, claims this abuse is costing Twitter about US$60m a year.
While the company is correct that SMS-based authentication is not the best, it is not widely considered to be a money-making venture for those who misuse it.
Why are other apps better than SMS for authentication?
Although no method is foolproof, SMS is much easier to compromise.
People can use what is called simjacking or sim-swapping to take over your mobile number which can then be used to access your account. This is done by convincing or forcing a telecommunications company to port your mobile number over to a new sim card.
Some countries, including Australia, have introduced rules requiring telecommunications companies to properly verify who someone is before allowing them to port a mobile number to a new provider.
If I want a second layer of security on my Twitter account, what other options do I have?
One option is using a third-party authenticator for 2fa, rather than Twitter’s own service. Google Authenticator is the most prominent third-party app used for 2fa. However, password manager apps, including the one built into Apple’s iOS, now offer to also act as authenticators for Twitter and other sites.
When you set up 2fa via the Twitter app on your mobile , it will prompt where you can authenticate.
Another option is using a security key, which is a USB drive you can insert into your computer that can be used to authenticate yourself when logging into websites. While most are USB-C or USB based, some can connect wirelessly or through Apple’s lightning port. It a hardware option if you prefer not to use an authenticator app.
What should I switch to?
Use whatever you feel most comfortable with. If you’re already using a password manager and that app also offers 2fa, then it makes sense to keep using what you know.
Whatever you are using, just make sure you’re entering in the number into the correct site and never give out the number to someone on the phone. Although the window for the code to be valid is short, if someone is trying to discover your code and take over your account, they might still be able to if they work quickly enough.