Twitter recently announced an interesting change to its 2FA (two-factor authentication) system. In response to the increasing number of SIM-swapping attacks, which allow criminals to access user accounts, Twitter is discontinuing SMS-based two factor authentication. In order to keep using the 2FA system, users must pay for a Twitter Blue subscription. Non-Twitter Blue subscribers will no longer be able to use SMS as a 2FA method after March 20th, 2023.
The primary concern with SMS 2FA is that criminals are able to trick, cajole or simply bribe employees in mobile phone companies to give them replacement SIM cards programmed with someone else’s phone number. This means that the criminals can access the user’s login codes and take over their account.
Twitter Blue subscribers will be allowed to keep using SMS-based 2FA, but this is not the best option for security. SIM-swapping attacks tend to be targeted, so it is more likely that Twitter Blue subscribers will become a target for criminals. It is better to switch to app-based 2FA to keep accounts secure.
It is also important to remember that if you gave Twitter your phone number for 2FA, you will need to go in and delete it yourself. Twitter will not delete any stored phone numbers automatically. Additionally, it is a good idea to set a PIN code on your phone SIM to avoid thieves taking over your account.
In conclusion, Twitter has made an interesting change to its 2FA system in response to SIM-swapping attacks. Non-Twitter Blue subscribers will no longer be able to use SMS-based 2FA after March 20th, 2023. It is important to switch to app-based 2FA and to set a PIN code on your phone SIM in order to keep accounts secure.