Twitter security settings change a ‘desperate drive’ to save money, experts say

Twitter’s changes to its user security settings around two-factor authentication are a “desperate drive” to save the company money rather than protect users, a cybersecurity expert has claimed.

Graham Cluley said Twitter’s decision to only allow paying subscribers to its Twitter Blue programme to use a text message to confirm their identity when logging it to the site would leave “many users worse protected”.

Over the weekend, Twitter users began receiving a message telling them that text message-based two-factor authentication (2FA) was being moved into the Twitter Blue subscription – and that anyone who did not want to join the pay monthly subscription must stop using the security feature or lose access to Twitter.

The company said the new policy would take effect on March 20.

Two-factor authentication is a security feature designed to make online accounts more secure as it requires users to confirm who they are using a second log-in method after entering their username and password.

Currently, Twitter users can opt to receive an automatically generated text message containing a code – which is sent to the phone number linked to their account – and use this code to complete their login.

But users have now been sent a message telling them “you must remove text message two-factor authentication”, and have instead been encouraged to choose a different method, such as a physical security key that plugs into a user’s device, or an authentication app.

Mr Cluley said that although it was true that other forms of 2FA were more secure than text messages, Twitter’s approach to the change was questionable.

“Yes, authentication apps and hardware keys are a more secure way to harden your account than SMS-based 2FA… but this is being done by Twitter in a desperate drive to save itself money, NOT to improve the security of its users,” he tweeted in response to the change.

“Many users will be left worse protected than before.”

Other commentators said that while it was better to try to move users away from text message-based 2FA, Twitter’s approach could create confusion among users who were not cybersecurity experts and aware of the different forms of 2FA.

Twitter owner Elon Musk defended the decision (Brian Lawless/PA)

Javvad Malik, lead security awareness advocate at cybersecurity firm KnowBe4 said Twitter’s announcement had given out “mixed messages”.

“On one hand it is a positive move to restrict SMS as a second authentication mechanism because of its weaknesses and the ability of criminals to social engineer users,” he said.

“On the other hand, by making it available to paying Twitter Blue subscribers, it gives the impression that it is a premium security feature, which it is not.

“From a technical perspective, the use of alternative 2FA methods, such as using an authenticator app is more secure than 2FA. But we have an educational issue whereby most people are still not overly familiar with how these options work, or how to enable them.

“Therefore, what we see here is not necessarily a technical security issue – but rather one of usability and education, one where it’s important to architect security controls in a manner that makes the user experience a frictionless one, while at the same time enhancing the security.”

In response, Twitter owner Elon Musk defended the decision by claiming that the platform was “getting scammed by phone companies” for millions of dollars each year through “fake” 2FA text messages.

And in a blog post on the issue, Twitter said: “While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors.”