Many Twitter users risk losing access to their Twitter accounts after this weekend. The issue at hand is Twitter’s previously announced move to revoke text-based two-factor authentication (2FA) from all Twitter users who do not subscribe to Twitter Blue.
Two-factor authentication is a critical security measure that most good web services offer. It requires that you enter a code any time you log in, in addition to your regular username and password details. The code is delivered to a user via text message or authenticator app when they attempt to log in and it helps ensure that bad actors who have obtained your username and password can’t access your account.
What Twitter is doing is mandating that those who want to receive 2FA codes via text message subscribe to Twitter Blue to keep doing so. As of Monday, March 20, it will be a “feature” exclusive to Twitter’s subscription service. The reason for this change is, ostensibly, that text message-based 2FA can be abused by bad actors. Presumably, Twitter wants to be able to verify the identity of those receiving texted codes, and being a Blue subscriber allows them to do that—or something. Its blog post on the change is pretty vague.
But the bigger issue is that it appears Twitter may lock users who currently have text-message-based 2FA enabled out of their accounts if they don’t disable text-based 2FA by this Sunday, March 19. Non-Blue subscribers are getting an ominous message to this effect when using Twitter in recent days. The message warns:
Only Twitter Blue subscribers can use the text message two-factor authentication method. It’ll just take a few minutes to remove it. You can still use the authentication app and security key methods. . . . To avoid losing access to Twitter, remove text message two-factor authentication by Mar 19, 2023.
As you can see, the message suggests that if you fail to remove text message 2FA from your account, you’ll be locked out—presumably, because your account will still be set up to need a code, but you won’t be able to receive the code via text any longer. This contradicts what Twitter warned would happen in its February 15 blog post in which it said, “At that time [March 20, 2023], accounts with text message 2FA still enabled will have it disabled.”
So, it’s anyone’s guess which warning is correct: If you don’t manually disable text-based 2FA on your Twitter account by the 19th, it’ll be disabled for you and anyone with your username and password will be able to log into your account. Or—you’ll still require a texted code to log in, but you won’t be able to receive the texted code and will thus be locked out of your account.
A third warning message, found here, says, “At that time [March 20, 2023], if you have text message 2FA still enabled, you will be prompted to disable it before you can continue to use your account.” So, maybe the lockout isn’t permanent.
Either way, what you must do if you aren’t a Twitter Blue subscriber is clear: Disable text-based two-factor authentication on your account now—and set up 2FA using an app instead. To disable text-based 2FA:
Text message-based 2FA is now disabled for your Twitter account. But you still want to have some kind of 2FA protecting your account. So, the next step is to set up an authenticator app to receive Twitter 2FA codes. Popular authenticator apps are Google Authenticator, Microsoft Authenticator, Authy, and the authenticator built right into Apple’s Safari web browser. Once you have one downloaded to your phone, do the following:
Once your authenticator app is set up to automatically generate Twitter 2FA codes, simply retrieve a code from the authenticator app whenever you need to log into Twitter in the future. You can also read Twitter’s two-factor authentication instructions here.
(25)
