Twitter Ending SMS-based 2FA for Free Users –But Here’s a Better Way to Save $60 Million

Robert MacDonald

Twitter is giving SMS-based two-factor authentication (2FA) the bird for all but its paid subscribers. But there’s a simpler way to secure Twitter accounts without ruffling anyone’s feathers.

In a recent tweet, the company announced that effective March 20, only “Twitter Blue” subscribers will be permitted to use text messages as a 2FA method to secure their accounts. Its rationale: Phone-based 2FA is being abused by what the company calls “bad actors.” In addition to hackers, these malevolent forces can include telcos using “bot accounts to pump [fees charged for] 2FA SMS.” Twitter says the price tag tops $60 million in annual losses.

Two-factor authentication requires an account holder to use a second authentication method in addition to a login to secure against account takeover (ATO). These methods can include a one-time passcode sent via SMS, or the use of a third-party authenticator or a security key.

Twitter says it’s restricting SMS-based 2FA to paid subscribers to cut down on losses. But even then, availability may vary by country and carrier. All users, however, will still be allowed to use an authenticator app or a security key as 2FA methods.

Which is all … a bit confusing. It also begs a larger question: With better, simpler options for securing accounts so readily available, why use 2FA at all?

Twitter’s Farewell to “Free” 2FA

Twitter is right: SMS-based two-factor authentication isn’t bulletproof against bad actors. Cybercriminals have several ways of beating 2FA when harvesting login credentials for use in infiltrating accounts.

But if 2FA is being disabled due to abuse by bad actors, why continue to allow only paid subscribers to use a more insecure authentication method? A paywall won’t help protect their accounts—it makes them better targets. And while there are incremental savings from reduced SMS costs, they will likely be minimal. As Wired points out, only 2.6% of Twitter users had 2FA of any kind enabled as recently as last July.

At a time when as many as 99.9% of all compromised accounts across industries aren’t 2FA-enabled, the question should be how do we protect all accounts against bad actors? For Twitter, it’s an especially pertinent question.

Today, 51% of all account takeover attacks target social media accounts. And losses from imposters perpetrating fraud via social media platforms, often via hacked accounts, topped as much as $1.2 billion in 2022, according to the Federal Trade Commission. Removing methods for securing accounts can only contribute to an erosion in trust among users and advertisers at a time when Twitter is scrambling to grow its user base and become a profitable enterprise.

To be clear, more 2FA isn’t the answer. So let’s look at what is.

ATO-Proof Security Made Effortless

As mentioned, all Twitter users can continue to use an authentication app or security key for 2FA. But just like SMS, these and other traditional forms of multi-factor authentication create user friction and come with plenty of security loopholes.

As a result, users (paid and otherwise) get phished via email, SMS messages, phone calls, and, yes, on the social media platforms they use. But today, a new generation of customer authentication solutions can change all that.

If Twitter implemented our 1Kosmos platform, for example, there’d be no need for 2FA at all—SMS, key, app, or otherwise. No telco fees, either. Paid subscribers and free users alike could log in to Twitter and be verified instantly using a biometric captured when they set up or update a profile—without taking additional steps. Because BlockID is NIST 800-63-3, FIDO, and iBeta DEA EPCS certified, the user’s biometric can’t be stolen or spoofed.

Twitter could use the same technology to expand its highest, Gold-Checkmark subscription to celebrities, influencers, luminaries, and all business users associated with a specific brand by verifying identity at account setup or login. In the case of multi-user brand accounts, a method could be established for the brand’s master account owner to add or delete verified users while making it impossible for anyone to hack an account.

Tweeting Safely–Without 2FA

Think about this for a second. In addition to giving high-profile creators, influencers, businesses, and news organizations a reason to sign up for Twitter’s top subscription tier, BlockID can enable a frictionless, ATO-free user experience for everyone.

In turn, this can help Twitter increase subscriber revenues while creating a level of trust with users (paid and otherwise) that can boost advertiser confidence and spend. I’m biased, of course. But if you ask me, that’s something worth tweeting about.

To learn more about 1Kosmos BlockID, schedule a free demo today!

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Robert MacDonald

Vice President of Product Marketing

Robert is the Vice President of Product Marketing at 1Kosmos. He is a highly influential senior global marketer with more than 15 years of marketing experience in B2B and B2C software in the biometric authentication space. Prior to 1Kosmos, Rob managed product strategy and vision for the Identity and Access Management portfolio at Micro Focus, leading a team of product marketers to drive sales and support the channel. Earlier in his career he set the foundation for content planning, sales enablement and GTM activities for ForgeRock. He has also held senior marketing positions at Entrust, Dell, Quest and Corel Corporation.