Twitter is making two-step verification via SMS a paid Blue feature

Starting March 20, Twitter will only allow Twitter Blue subscribers to use text messages as a two-step verification method. Regular users can still set up authentication apps or security keys as a 2fa method.

Twitter chooses in their own words proposes to baptize two-step verification via SMS into a paid option, because the 2fa method is often ‘abused by malicious parties’. No further explanation is given. For users who still use 2fa via SMS from March 20 and do not have a Blue subscription, two-step verification will be automatically disabled, Twitter warns.

The notification those Twitter users with 2fa via
receive SMS if they are not a Blue subscriber.

Two-step verification via SMS is often seen as the most insecure 2fa method. According to critics, this is largely due to the fact that SMS is linked to a telephone number. There are many examples of accounts being taken over by taking over a telephone number through social engineering. In many cases this does not appear to be very difficult through the customer service of providers. Microsoft, among others, has therefore called in the past not to use two-step verification via SMS.

Nevertheless, this is by far the most popular 2fa method. According to Twitter Only 2.6 percent of all accounts use two-step verification, of which 74.4 percent do so via SMS. An authentication app is used in 28.9 percent of the cases and a security key only 0.5 percent.

Twitter has been trying to make money with subscriptions since Elon Musk’s takeover. Musk previously said that half of Twitter’s revenue would eventually come from paying users. The Blue service costs eight euros per month on Android and eleven euros if users take it out via iOS.