Security News > 2023 > February > Twitter tells users: Pay up if you want to keep using insecure 2FA
Using texts is insecure for doing 2FA, So if you want to keep it up you're going to have to pay.
The bulletin says that "After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled."
Legitimately replacing a lost, broken or stolen SIM card is obviously a desirable feature of the mobile phone network, otherwise you'd have to get a new phone number every time you changed SIM. But the apparent ease with which some crooks have learned the social engineering skills to "Take over" other people's numbers, usually with the very specific aim of getting at their 2FA login codes, has led to bad publicity for text messages as a source of 2FA secrets.
We suspect that if the company really were serious about retiring SMS-based login authentication, it would impel all its users to switch to what it considers more secure forms of 2FA. Ironically users who pay for the Twitter Blue service, a group that seems to include high-profile or popular users whose accounts we suspect are much more attractive targets for cybercriminals.
Will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.
If you are a non-Blue Twitter user with SMS 2FA turned on, consider switching to app-based 2FA instead. Please don't simply let your 2FA lapse and go back to plain old password authentication if you're one of the security-conscious minority who has already decided to accept the modest inconvenience of 2FA into your digital life.