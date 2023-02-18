Twitter, following Elon Musk’s announcement that he has been bailed out of bankruptcy, has announced that it is limiting the use of SMS-based two-factor authentication (2FA) to its Blue subscribers.

“While [l’autenticazione a due fattori con SMS sia] historically a popular form of 2FA, unfortunately we have seen phone number-based 2FA being used – and abused – by bad actors“, has stated the society.

Twitter then added: “We will no longer allow accounts to sign up for the SMS/SMS method of 2FA unless they are a Twitter Blue subscriber“.

Users of the bluebird platform who have not subscribed to “Blue” and who have signed up for SMS-based 2FA have until March 20, 2023 to switch to an alternative method such as an authenticator app or a hardware security key.

After this deadline, non-Blue subscribers will see their option automatically disabled.

The alternative methodsthey require physical possession of the authentication method and are a great way to ensure that your account is secure“, Twitter noted.

Since texting is always been the least secure form of 2FA, you are likely to “force” people to switch to secure forms of authentication.

According to Twitter data, only 2.6% of all active accounts have at least one form of 2FA enabled. SMS accounts for 74.4%, followed by authentication applications (28.9%) and security keys (0.5%).

Insight: what do Twitter’s “upper floors” tell us?

On removing this feature for non-subscribers with the blue check: “We are taking this step due to vulnerabilities being addressed by mobile carriers and our reliance on having a linked phone number for two factor authentication“, the company said.

Last week, Twitter acknowledged that the phone number associated with Dorsey’s account was compromise due to what it attributes to the operator’s “security oversight”, thus allowing an unauthorized third party to post tweets via text messages from the phone number.

While unconfirmed, Dorsey’s number is suspected to have been the victim of a SIM swapping attack, a social engineering trick used by cybercriminals to get carriers to switch their victims’ cellular service to a SIM card under the their control.

This basically allows hackers and freakers to intercept calls and text messages, including those used for two-factor authentication.

SMS tweeting has been a key feature of Twitter since its inception. The 140-character limit for tweets (since expanded to 280) was also originally set to reflect the length of SMS messages.

But the company’s decision to disable the option underscores the seriousness of the problem, not least because such SIM-swapping attacks undermine the use of phone numbers as login IDs.

For now, pay close attention to the permissions of Twitter’s third-party applications and make sure you’ve only granted access to applications you trust.

As far as protecting against SIM swapping, there isn’t much you can do. One course of action is to switch to authenticator applications like Google Authenticator, rather than your phone number, for two-factor authentication. But this is only possible on services that allow it.