Twitter is turning SMS two-step verification into a paid Blue feature

Starting March 20, Twitter will only allow Twitter Blue subscribers to use text messages as a two-step verification method. Regular users can still set up authentication apps or security keys as a 2fa method.

Twitter chooses in their own words in favor of turning two-step verification via SMS into a paid option, because the 2fa method is often ‘misused by malicious parties’. No further explanation is given. Twitter warns users who still use 2fa via SMS from March 20 and have not taken out a Blue subscription.

The notification those Twitter users with 2fa via
receive SMS if they are not a Blue subscriber.

Two-step verification via SMS is often seen as the most insecure 2fa method. According to critics, this is largely due to the fact that SMS is linked to a telephone number. There are many examples where accounts were taken over by taking over a telephone number through social engineering. In many cases, this does not appear to be very difficult via the customer service of providers. Microsoft, among others, has therefore called in the past not to use two-step verification via SMS.

Despite this, this is by far the most popular 2fa method. According to Twitter only 2.6 percent of all accounts use two-step verification, of which 74.4 percent do so via SMS. An authentication app is used in 28.9 percent of the cases and a security key only 0.5 percent.

Twitter has been trying to make money from subscriptions since the acquisition of Elon Musk. Musk previously said that half of Twitter’s revenue should come from paying users over time. The Blue service costs eight euros per month on Android and eleven euros if users take out via iOS.