Twitter's 2FA Change Leaves Non-Paying Users Vulnerable
Twitter has announced a change in its two-factor authentication (2FA) policy. From March 20, 2023, non-paying users will no longer have access to text-based 2FA. This shift aims to reduce costs but raises security concerns.
Twitter's decision means non-paying users must now rely on weaker authentication methods. They may revert to using passwords alone, which can be vulnerable if reused or weak. The company has not provided a clear path for these users to upgrade to stronger methods like multi-factor authentication (MFA).
Paying users, however, will retain access to SMS-based 2FA and gain additional security options. This disparity has led to speculation that cost savings, rather than security improvements, drive Twitter's decision. The move could influence other organizations to consider the balance between cost and security in their services.
The FIDO Alliance, promoting passwordless authentication standards, aims to phase out SMS-based 2FA in favor of methods with fewer obstacles and better security.
Twitter's disabling of text-based 2FA for non-paying users may lead to increased security risks for these users. While paying users gain additional security options, non-paying users may be left vulnerable. The shift could influence other organizations' security policies, with the FIDO Alliance advocating for stronger, less obstructive authentication methods.
