Comment & Analysis / Media & Technology

Explained: Twitter is removing a basic safety feature from many accounts - here's how not to get hacked

11:37 am on 13 March 2023

From 20 March, people who are not paying to subscribe to Twitter Blue will have two-factor via SMS disabled. Photo: AFP

By ABC technology reporter James Purti

Last month, Twitter announced it was ending free SMS two-factor authentication.

You may have seen this news, and you may well have done nothing to prepare.

The date of the change is almost here. From Monday, 20 March, people who haven't paid $13 a month to subscribe to Twitter Blue will have two-factor authentication (2FA) via SMS disabled.

Here's what that means, what effect it could have on the platform, and how you can make your account just as secure for no extra cost.

What is two-factor authentication?

It's an extra layer of security designed to prevent your account being taken over if your password is compromised.

The most common form is SMS 2FA. Once you've entered your password to log into an account, the authentication system sends your phone an SMS with a code. You enter this code on the website to prove you are the owner of the account.

Other forms of 2FA are software-based authentication tokens and hardware keys. We'll get to those later.

Basically, banks, social media platforms, and other security-conscious organisations generally see 2FA as a good and useful thing, especially since many people riskily reuse passwords for several platforms.

For this reason, SMS 2FA is usually offered free of charge.

Not any more! Why is Twitter ditching free SMS 2FA?

Twitter owner Elon Musk has given two different reasons. One is about money. The other, security.

Last month, Musk tweeted that phone companies were scamming Twitter of US$60 million per year by sending "fake" 2FA SMS.

That is, Twitter has to pay for those 2FA SMS, and telcos were gaming the system.

In another tweet, he said other authentication apps (ie 2FA soft tokens) were "more secure than SMS".

Troy Hunt, an internet security expert, agreed, saying "generally SMS is considered to be the weakest" in the "security hierarchy" of 2FA methods.

This is because an attacker can trick a phone company into assigning the target's phone number to a new SIM card, so the attacker receives the 2FA text. This fraud is known as "sim jacking".

Many have pointed out that paid-up Twitter Blue users will still have access to SMS 2FA, which is hard to square with Mr Musk's claim that boosting security was the reason for the decision to cancel free SMS 2FA.

"If it's about security, they should [cancel SMS 2FA] for everyone, for Twitter Blue users," Hunt said.

"The irony there is Twitter Blue users are more invested in the platform."

What effect will cancelling free SMS 2FA have on Twitter?

Probably not a lot, Hunt said.

Don't expect all hell will break loose on 20 March.

"The number of people that have 2FA enabled on Twitter is in the single digits," Hunt said.

Of these, some already have Twitter Blue. Some may upgrade to Twitter Blue. Others will switch to other methods of 2FA (we're getting to them). And of those that remain, most will not have passwords that have already been hacked.

"You have to imagine there'll be some degree of uptick in account takeover," Hunt said.

These takeovers cost the individual as well as the organisation. Whether the predicted uptick in takeovers would cost Twitter more than $60 million a year was a "good question", he said.

How can I keep my account secure without free SMS 2FA?

Where to change your two-factor authentication method on the Twitter app. Photo: Supplied / Twitter

You've got two options: authenticator apps and hardware keys.

The first of these is the simplest and cheapest. Download one (there are lots that are free). Then go to Twitter and click Settings and privacy > Security and account access > Security > Two-factor authentication and click Authentication app. Enter your password and click Confirm.

Authenticator apps aren't vulnerable to sim-jacking, but you can still be phished. That is, you might be tricked into sharing your password with the wrong person, often through them sending you to a webpage that looks identical to a platform's log-in page.

That leaves the final option: hardware keys.

This is a USB drive that plugs into your computer and provides a unique number, or "key", to authenticate yourself.

It's the most trusted option, but many people find them inconvenient. You have to have the key on you whenever you need to complete 2FA.

What will happen if I do nothing at all?

Probably not much.

You'll still be able to use Twitter like before.

From 20 March, you'll be prompted to disable 2FA before you can continue to use your account.

The only real change will be a hard-to-quantify but significant increase in the risk of having your Twitter account hacked.

- ABC