Twitter will start charging users a monthly charge on March 20 in order to access a very basic safety function. For those who have not signed up for Twitter Blue, the firm announced that it will stop SMS-based two-factor authentication, a common method used by Twitter users to secure their accounts. Experts have criticised the action, claiming that it amounts to blackmail and will harm consumers.
An additional layer of protection for online accounts is two-factor authentication. It enables users to set up an additional step — using a code or a security key — in place of just logging in with a password.
Internet security professionals have criticised Twitter’s most recent decision to stop requiring SMS-based verification for a significant portion of its users and have demanded regulatory review of the action.
It appears incongruous for Twitter, which is run by Elon Musk, to claim that SMS-based two-factor authentication is being abandoned. The business claimed in a blog post that “bad actors can utilise – and misuse – phone-number based 2FA.” Nevertheless, it also stated that only users of Twitter Blue, which costs about Rs 900 per month in India, will be able to access the safety function.
It is puzzling why Twitter would grant access to a security feature that the firm claims is misused by bad actors to a subset of its users who pay a monthly price for effectively purchasing a verification mark.
In fact, according to Twitter’s own data, SMS-based authentication is the most often used method of account security, probably due to its practicality. Around 2.6% of active Twitter users had two-factor authentication activated, with more than 74% choosing SMS-based verification, according to the company’s most recent transparency report.
Musk, who sacked about half of the staff at the company he acquired in October of last year, also suggested that the action might be yet another attempt at cost-cutting. In response to a user’s tweet regarding the new policy, the author stated that “Telcos Using Bot Accounts to Pump 2FA (two-factor authentication) SMS” and that the business was losing $60 million (approximately Rs. 490 crore) year “on scam SMS.”
Experts have urged for regulatory intervention, including Congressional hearings in the US, and have dubbed Twitter’s move “blackmail” and “stupid.”
Twitter’s action, according to John Scott-Railton, a senior researcher at the University of Toronto-based think tank Citizen Lab, will “hand hackers a major gift.” “As hackers search through password dumps, expect waves of takeovers… Users are not made more secure by unilaterally reducing their security and then expecting them to perform better. Security is increased gradually. Twitter definitely merits regulatory & Congressional investigation if they move forward with this, he continued.
According to Eva Galperin, head of cybersecurity at the Electronic Frontier Foundation, the action may encourage users to completely disable two-factor authentication. “It kills me that this is so stupid. Certainly, switching to an authentication app or a security key for your 2FA is the best course of action in this situation, but most people, in her opinion, will just turn off 2FA, she wrote in a tweet.