Twitter is giving SMS-based two-factor authentication (2FA) the bird for all but its paid subscribers. But there’s a simpler way to secure Twitter accounts without ruffling anyone’s feathers.
In a recent tweet, the company announced that effective March 20, only “Twitter Blue” subscribers will be permitted to use text messages as a 2FA method to secure their accounts. Its rationale: Phone-based 2FA is being abused by what the company calls “bad actors.” In addition to hackers, these malevolent forces can include telcos using “bot accounts to pump [fees charged for] 2FA SMS.” Twitter says the price tag tops $60 million in annual losses.
Two-factor authentication requires an account holder to use a second authentication method in addition to a login to secure against account takeover (ATO). These methods can include a one-time passcode sent via SMS, or the use of a third-party authenticator or a security key.
Twitter says it’s restricting SMS-based 2FA to paid subscribers to cut down on losses. But even then, availability may vary by country and carrier. All users, however, will still be allowed to use an authenticator app or a security key as 2FA methods.
Which is all … a bit confusing. It also begs a larger question: With better, simpler options for securing accounts so readily available, why use 2FA at all?
Twitter’s Farewell to “Free” 2FA
Twitter is right: SMS-based two-factor authentication isn’t bulletproof against bad actors. Cybercriminals have several ways of beating 2FA when harvesting login credentials for use in infiltrating accounts.
But if 2FA is being disabled due to abuse by bad actors, why continue to allow only paid subscribers to use a more insecure authentication method? A paywall won’t help protect their accounts—it makes them better targets. And while there are incremental savings from reduced SMS costs, they will likely be minimal. As Wired points out, only 2.6% of Twitter users had 2FA of any kind enabled as recently as last July.
At a time when as many as 99.9% of all compromised accounts across industries aren’t 2FA-enabled, the question should be how do we protect all accounts against bad actors? For Twitter, it’s an especially pertinent question.
Today, 51% of all account takeover attacks target social media accounts. And losses from imposters perpetrating fraud via social media platforms, often via hacked accounts, topped as much as $1.2 billion in 2022, according to the Federal Trade Commission. Removing methods for securing accounts can only contribute to an erosion in trust among users and advertisers at a time when Twitter is scrambling to grow its user base and become a profitable enterprise.
To be clear, more 2FA isn’t the answer. So let’s look at what is.
ATO-Proof Security Made Effortless
As mentioned, all Twitter users can continue to use an authentication app or security key for 2FA. But just like SMS, these and other traditional forms of multi-factor authentication create user friction and come with plenty of security loopholes.
As a result, users (paid and otherwise) get phished via email, SMS messages, phone calls, and, yes, on the social media platforms they use. But today, a new generation of customer authentication solutions can change all that.
If Twitter implemented our 1Kosmos platform, for example, there’d be no need for 2FA at all—SMS, key, app, or otherwise. No telco fees, either. Paid subscribers and free users alike could log in to Twitter and be verified instantly using a biometric captured when they set up or update a profile—without taking additional steps. Because BlockID is NIST 800-63-3, FIDO, and iBeta PAD-2 certified, the user’s biometric can’t be stolen or spoofed.
Twitter could use the same technology to expand its highest, Gold-Checkmark subscription to celebrities, influencers, luminaries, and all business users associated with a specific brand by verifying identity at account setup or login. In the case of multi-user brand accounts, a method could be established for the brand’s master account owner to add or delete verified users while making it impossible for anyone to hack an account.
Tweeting Safely–Without 2FA
Think about this for a second. In addition to giving high-profile creators, influencers, businesses, and news organizations a reason to sign up for Twitter’s top subscription tier, BlockID can enable a frictionless, ATO-free user experience for everyone.
In turn, this can help Twitter increase subscriber revenues while creating a level of trust with users (paid and otherwise) that can boost advertiser confidence and spend. I’m biased, of course. But if you ask me, that’s something worth tweeting about.
To learn more about 1Kosmos BlockID, schedule a free demo today!