What is Twitter changing, and why?

Starting March 20, Twitter users are no longer able to use text-based two-factor authentication feature (also called 2FA) to protect their free accounts on the service. Going forward, the option will only be available to people who pay $8 a month for its Twitter Blue service. Twitter is instructing users to either sign up for Twitter Blue or turn on app-based authenication. Since Elon Musk took over Twitter last October, the company has been scrambling to find ways to make and save money. It has laid off thousands of workers and pushed Twitter Blue, which lets users pay monthly for a verification check mark. This change could save the company money. Musk has claimed text verification, specifically fraud by phone companies, is costing the company $60 million a year.

What is two-factor authentication?

A strong, unique password is important, but it’s no longer enough to protect most online accounts. The next level of security is adding two-factor authentication, which lets a site or service confirm your identity through a separate entity. There are three common methods of authentication: sending a code to your phone, using a code that updates every minute from an authenticator app on your device, or inserting or tapping a physical security key . Criminals might be able to steal or guess your password, or find it in a data breach, but they still won’t be able to log into your account without this extra piece of information.

Does this change make me more or less secure?

Authentication over text is considered the most convenient and widely adopted option, in part because it uses existing text message apps. It is, without a doubt, safer than only using a password. Experts say it’s not as secure as using an authentication app or security key because of known hacks such as SIM swapping or social engineering attempts to get people to share the codes. If every Twitter user makes the switch to an authentication app, more people will be safer. However, experts worry about that the opposite could happen — more people with only a password.

What are security experts worried about?

Instead of a sudden requirement to switch with a deadline a month away, Twitter could have used nudges to encourage people to make the switch over a long period of time, experts say. Twitter’s approach could result in more people going without any secondary verification. “The likely thing that’s going to happen is most users are just going to kind of dismiss this warning,” says William Budington, a senior staff technologist at the Electronic Frontier Foundation. He also thinks it is an attempt by the company to try to make money off its fledgling Twitter Blue service. The change could also mistakenly lead Twitter Blue users to think they are safer than they are. “They’re saying, ‘You pay us this extra money, and we’ll give you the convenience of being able to choose the less secure of these options,’ ” says Caroline Wong, chief strategy officer at San Francisco-based cybersecurity firm Cobalt.

Do I need to sign up for Twitter Blue?

No. In fact, signing up for Twitter Blue primarily to get verification codes over text message might make you less secure than the people moving to app-based verification. That’s if, and only if, free users take the extra step to set up an authentication app. “Download the authenticator app and save yourself $8 bucks a month, unless the other benefits are worth it to you,” Wong recommends.

What should I do to stay secure?

You are going to disable 2FA on Twitter and start using an authentication app. It’s easy; we’ll show you exactly what to do. Now whenever you need to log on to Twitter from a new device or browser, open your authenticator app and enter the numeric code listed for Twitter.

Can I just ignore this?

If you do nothing, just carry on with your life and never visit your Twitter settings, you could end up less secure. Twitter said in a support post that people who do not disable 2FA “will be prompted to disable it before you can continue to use your account.” However, many users have reported having their text 2FA turned off automatically, leaving them with just a password for security. If you don’t re-add a second factor of authentication, you could soon run into other issues like having your account compromised. The safest move is to set up an authentication app now.

What's New

Secure your Twitter account for free, now

Twitter announced it will charge users who want to use SMS two-factor authentication, but there’s a safer, no-cost option

By Heather Kelly

Updated March 23, 2023 at 6:22 a.m. EDT|Published February 22, 2023 at 6:00 a.m. EST

A bird swallows a text with a 6 digit code. — (Illustration by Elena Lacey/The Washington Post)

Listen

7 min

If you’ve heard us say it once, you’ve heard it a thousand times: Turn on two-factor authentication. Do it for every important account you have, especially banking, email and social media. Do it to avoid hacks, and do it now.

Last month, Twitter announced it would no longer let people use the most common form of two-factor authentication — a numeric code sent over text message — free. Instead, users were told to either sign up for the $8-a-month Twitter Blue service or switch to a different type of two-factor authentication by March 20.

Twitter has disabled text-based two-factor authentication automatically for some users who aren’t paying members, leaving them exposed. If you have a Twitter account, even if you don’t post much, you should take steps to secure it now. Don’t worry — it won’t cost a dime. Here’s everything you need to know.

What to do if you lose your phone and can’t access your accounts

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Take control: Sign up for The Tech Friend newsletter to get straight talk and advice on how to make your tech a force for good.

Tech tips to make your life easier: 10 tips and tricks to customize iOS 16 | 5 tips to make your gadget batteries last longer | How to get back control of a hacked social media account | How to avoid falling for and spreading misinformation online

Ask a question: Send the Help Desk your personal technology questions.