Twitter has ended free two-factor authentication via text message, a crucial tool for users to keep themselves safe from hackers. But there’s an alternative that offers even better security and doesn’t cost a thing.
Two-factor authentication is a way to let a user prove they are who they say they are by generating a temporary code on their phone. It’s like an additional one-time-use password. Hackers sometimes have access to people’s passwords, especially if they reuse the same ones across multiple sites, so enabling two-factor authentication makes it much harder for a hacker to gain control over someone’s account.
Last month, Twitter announced its users would no longer be able to use text message two-factor authentication, or SMS 2FA, where a user gets their one-time code as a text message, for free. People who pay for the company’s subscription service could still use the method.
But it’s still free for anyone to use an even better form of two-factor authentication: the kind that comes from an authenticator app on their phone. Several trustworthy tech and security companies, including Twilio’s Authy and Google, make free versions. Anyone who downloads one of those and syncs it to their account will see it continuously generate temporary 2FA codes.
Cybersecurity experts argue that an authenticator app is superior to text message authentication because some dedicated hackers can intercept a victim’s incoming text messages through a practice called SIM swapping. Hackers can only access a user’s authenticator app codes if they have physical access to a victim’s phone.
Here are some basics on how to set up an authenticator app. Specifics can vary depending on the app, your mobile operating system, and whether you are using Twitter on desktop or mobile.
- Download an authenticator app and follow its setup instructions, which can include allowing it to verify your phone with a text message or email.
- Go to Twitter’s security settings to sync your account there with the authenticator app.
- Tap the authenticator app for a new code whenever you change your Twitter password or log in from a new device.
Twitter’s decision to end free text message-based 2FA was an unprecedented step for a major tech company. For years, major websites, as well as the U.S. government, have encouraged more users to use 2FA as a way to reduce the number of accounts taken over by hackers. While experts widely agree that using an authenticator app is superior, the SMS version is much more common.
Only a small fraction of Twitter users employ any kind of two-factor authentication. In a transparency report published in July, the company said that only 2.6% of its users used 2FA, and that nearly three-quarters of those who did used the text message version.
Twitter has not published a transparency report since and appears to have discontinued the practice under Elon Musk’s ownership. Twitter did not respond to a request for comment, as its dedicated email for press requests now automatically sends a “poop” emoji.
Musk has indicated that he ended free SMS 2FA because text messaging services charge money. He has agreed with experts that using an app offers better cybersecurity.
While Twitter’s decision might encourage some users to adopt an authenticator app, it will likely end up making the site less secure, said Alyssa Miller, a cybersecurity speaker and author.
“While I’d love to say there is a silver lining here, all indications are that this decision by Twitter was a cost-savings move and has nothing to do with making users’ accounts more secure,” Miller said. “I’d argue the negative impact on adoptability far outweighs any incremental benefit.”
The change “makes the platform ultimately less secure for Twitter’s user base,” she said.