Why You Shouldn't Pay Twitter For Text Message Account Security

Twitter has yet made another controversial change that appears to be a brazen tactic to hawk its Twitter Blue subscription service. As part of an official policy change, the company has announced that you will no longer be able to use SMS as a two-factor authentication measure, unless you subscribe to Twitter's paid tier. For the unaware, two-factor authentication is an added security measure that requires you to verify your identity after entering your Twitter log-in credentials. 

Right now, Twitter supports three ways for two-factor authentication: SMS, a third-party authenticator app, or a physical security key. Following the policy change, Twitter reasons that "we have seen phone-number based 2FA be used – and abused – by bad actors." However, Twitter doesn't explain how allowing only Twitter Blue subscribers to use the SMS-based method will boost the security in any fashion, or indeed resolve the risks of abuse associated with SMS-based authentication.

The security argument may not make sense, but it's not difficult to see how it could work as a cost-cutting measure, or simply as another push to increase the company's revenue flow. Twitter says that it will automatically disable SMS-based two-factor authentication for all users starting March 20 if they haven't paid for a Twitter Blue subscription. However, the company says that it won't decouple your registered phone number with your Twitter account after disabling the SMS option as a second layer of security for account log-in. 

Why pay to get worse security?

Asking users to pay a minimum of $8 per month to be able to use the weakest security measure doesn't really make sense. Out of the available options, a physical security key is the safest option. That's primarily because a physical security key is always in your possession, which means a bad actor can't access it as easily as acquiring your password from a security breach incident. Plus, if you're using one of those physical security keys with a fingerprint reader built-in, the chances of losing access to your account get even slimmer.

However, you still have to pay in order to buy a physical security key. Thankfully, Twitter lets you use a third-party authenticator app as for two-factor security verification. There are both free and paid options, for iOS and Android, with some of the most common including Google Authenticator, Authy, LastPass, and Microsoft Authenticator. As per security experts, SMS is the weakest standard for two-factor authenticator, and there has been no shortage of security incidents in the past years that illustrate the same.  

Aside from phishing, an SMS-based code can also be intercepted by a bad actor to wreak havoc. Unlike encrypted media like WhatsApp for securely sending a message, SMS is as secure as the carrier network it piggybacks on. Hackers have been known to plant malware into those networks for intercepting messages, meaning while the convenience of SMS two-factor authentication is high, its security credentials aren't quite so impressive.