Twitter Limits SMS-Based 2FA to Twitter Blue Members

Effective March 20, Twitter will no longer allow people to use SMS-based two-factor authentication (2FA), unless they subscribe to Twitter Blue.

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors,” Twitter wrote in a Friday night blog post. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

Those who are not enrolled in Twitter Blue can still use an authenticator app or a security key for 2FA. But if they’re currently using SMS to authenticate their accounts, they only have 30 days to make the switch.

“After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled,” Twitter says.

SMS-based multi-factor authentication is considered the weakest form of 2FA. Hackers have tricked cellular providers into cloning a victim’s mobile phone number to a new SIM card, which they put in their own phones to intercept an SMS 2FA code. But getting people to adopt multi-factor authentication has been an uphill battle for many services, and a text-based code is better than nothing.

Twitter Blue is the company subscription-based service; it offers features like the ability to edit tweets for $8 per month. Elon Musk, the company’s new CEO, has made a big push to boost subscribers to the service by putting some features behind a paywall. Thus far that’s largely focused on vanity options like the blue checkmarks, though, rather than security features that could put a large number of the site’s members at risk if disabled.

On Twitter, Musk framed the move as as cost-cutting measure. "Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages," he wrote.

To check the status of 2FA on your Twitter account, navigate to Settings & privacy > Security and account access > Security > Two-factor authentication and choose between an authentication app or security key.

Editors' Note: This story was updated with comment from Musk.

About Our Expert

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio