Twitter and the cash dash: SMS two-factor authentication

Twitter is a business. And like all businesses, it needs to make money to survive. Pretty simple concept, but apparently it takes someone like Elon Musk to do something about it.

Because up until now, Twitter has been in a bit of a financial pickle.

But I can’t help feeling that there’s a sense of desperation going on - I mean, charging $100 a month for API access (which has been delayed twice so far) is a bit on the pricey side but is honestly fine if you’re building a profitable business on top of the platform.

Even offering a subscription-based tier where you give extra functionality at a cost to support the platform makes sense. That is - when you provide working, stable functionality that doesn’t suck. (Blue checkmarks are not functionality, and slapping “coming soon” on literally everything you say you’re going to provide, then not providing it nor a timescale for delivery… well, it kinda negates the value proposition, doesn’t it?)

But one has to wonder about the latest “benefit” to being a Twitter Blue user: From March 20th, 2023, you get to use SMS-based two-factor authentication. Sounds great, right?!


Positioning SMS-based two-factor authentication is the dumbest thing to have come out of Twitter HQ since Elon Musk took over. Well, so far.

SMS-based multi-factor authentication is used in places it really shouldn’t be. The UK’s online Government portal is a really good example of this. I mean, let’s be clear - SMS 2FA is better than no 2FA at all. But you can already use authenticator apps to secure your Twitter account, without paying a cent to Elon’s bank account.

Firstly, there’s the whole thing of paywalling security features. Prioritising money over keeping your users safe and secure is probably one of the best ways you can assure your users you simply don’t give a crap. Yes, Twitter provides a more secure 2FA method without paying, but that’s not the point.

Second - SMS is not free. There is a cost associated to sending a text message, and this is most likely the driver behind it. But given there are better alternatives, the obvious decision is to do away with the cost and scrap it altogether.

Away from how bad it looks to users and the financial implication, if anyone knows their history they’ll know that telecommunications aren’t the most secure thing on the planet. From wire tapping, to GSM hacking, impersonation and MITM (man-in-the-middle) attacks, there are a whole bunch of technical reasons why the use of a phone to confirm you are really the person logging into your favourite bird-singing website (or Government, or anything else using SMS for confirmation), is really not wise.

Social engineering - the practice of manipulating a person or group of people into giving up information that can compromise them, an account or someone else - is another great reason why SMS-based multi factor authentication should not be on your list. The attacker launches a social engineering attempt at your mobile service provider - the aim is to have a new SIM sent, which they can intercept and use. At that point, they have control of your number, and access to any SMS MFA you have associated with it.

Not cool.

The good news is it’s not a scalable thing, so the chances of you being a target of it is quite low. But it’s still a thing, and should still be considered.

As I mentioned earlier, the ideal solution would be to rip out text-messaging for two-factor authentication, not claim a security feature is a “benefit” of a subscription account and use something far more secure. Hardware or software authenticators are a great alternative, and with several authenticator apps out there all following the same approach, there’s really no excuse not to.