Twitter has announced that it is putting its SMS two-factor authentication feature behind a paywall, forcing people to either disable it or switch to another way of securing their account.
The move, which Twitter announced in a post-dated blog post, means the only way that people can continue to use SMS-based two-factor authentication is to pay for the Twitter Blue subscription.
"We continue to be committed to keeping people safe and secure on Twitter, and a primary security tool we offer to keep your account secure is two-factor authentication," Twitter's announcement started out. "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors."
The company went on to say that it "will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers."
For those who already have SMS-based two-factor authentication enabled, Twitter is offering 30 days grace. "Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another," the statement read.
Ironically, the security feature that Twitter is so keen to charge for is actually the worst option available in terms of two-factor authentication options. SIM swap attacks have historically seen people lose access to their own phone number, leaving any account with SMS-based authentication potentially wide open. The Verge points out that Twitter co-founder Jack Dorsey was targeted in such a way a few years ago. Alternatively, someone could just steal your phone instead.
As a result, app or hardware token-based two-factor authentication codes are a better idea. Google Authenticator is one example of an app that can handle such codes, and there are plenty of hardware security keys available to choose from.
If you really must continue to use SMS-based two-factor authentication you're going to need Twitter Blue - an offering that will get you fewer ads and a blue checkmark, amongst other things.