Twitter will allow using the SMS-based two-factor authentication (2FA) only to its Blue subscribers

Twitter has announced that the platform will allow using the SMS-based two-factor authentication (2FA) only to its Blue subscribers.

To date, Twitter has offered three methods of 2FA: text message, authentication app, and security key. However, the company has announced that it will limit the use of SMS-based two-factor authentication (2FA) only to its Blue subscribers.

The move is the response of the company to the use/abuse of the authentication method by threat actors.

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors.” reads the post published by the social media and social networking service. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.”

Non-Twitter Blue subscribers that are using the text message/SMS method of 2FA will have 30 days to enroll in another authentication method. 

“After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method.” continues the statement. “At that time, accounts with text message 2FA still enabled will have it disabled. Disabling text message 2FA does not automatically disassociate your phone number from your Twitter account. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, authentication)