How to protect yourself from 2FA suppression on Twitter

Last strange Elon Musk’s move to Twitter weakens the security of millions of accounts. On February 17, Twitter announced plans to stop people from using SMS-based two-factor authentication to secure their accounts, unless they start paying for a Twitter Blue subscription. However, there are safer, free, and easier ways to continue protecting your Twitter account with two-factor authentication.

Two-factor authentication, also known as 2FA or multi-factor authentication, is one of the most effective ways to protect your online accounts from being hacked. When logging into a website, application, or service, 2FA requires you to log in using your username, password, and then authenticate the login using other information. Most often, this involves entering a temporary code that is generated or sent to you in real time.

This second piece of information helps prove that the person logging in is actually you. While billions of passwords have been compromised online, 2FA code is often delivered or generated by a device that’s in your pocket. Enabling any two-factor authentication is better than not having it. However, this is not entirely reliable. For years, security researchers have been warning that SMS-based two-factor authentication is not as secure as other 2FA options.

This is due to SIM spoofing attacks where attackers compromise phone numbers, allowing criminals to access 2FA messages and hack into accounts. Simply put: using a different 2FA option, even if it’s a little less convenient, is your best bet.

In its announcement, Twitter said that people have 30 days to turn off SMS-based two-factor authentication and switch to another option. It states that “bad actors” have abused the system in the past. On March 20, Twitter will “turn off” the use of text messages for two-factor authentication unless you pay for the privilege. People have already started seeing pop-ups telling them to “remove text message two-factor authentication” before this date.

However, Twitter’s announcement has baffled, confused, and angered security researchers. They say removing SMS-only 2FA for people who don’t pay for Twitter Blue doesn’t make any sense and will weaken people’s security unless they switch to another 2FA option. Here’s what you should do to protect your account.

Use an authentication app or a dongle

Instead of turning off 2FA on your Twitter account, there are two better options: authentication apps and security keys. Both of them work on the same principles as SMS-based two-factor authentication. To enable any of these alternatives, you need to visit Twitter, open it Settings and privacythen Security and account access, Safetyand finally Two-factor authentication. (Or just click here if you are logged in). Here you will get the option to use two-factor authentication through the app or with security keys.

Instead of sending a six-digit authentication code in an SMS message, authenticator apps constantly generate codes themselves and sync them with the services you use. Authentication apps list all the websites you’re signed up to and display the codes you need to enter to sign in. These codes are updated every 30 seconds. Every time you need to sign in to a website or app, you visit the authenticator app after entering your username and password to get an authentication code instead of waiting for a text message. (This is especially useful if your phone is not connected to the network for some reason).