Should Twitter Charge for SMS 2FA If a Better Option Already Exists?
Should Twitter Charge for SMS 2FA If a Better Option Already Exists?



Can you put a price tag on security? According to Twitter executives, you can. For $8 a month, the cost of Twitter’s premium service Twitter Blue, customers can continue to enjoy the added security benefits of 2-factor authentication. Users who do not subscribe to Twitter Blue will be booted from phone-number based 2FA, a service that was previously free, in 30 days. The product announcement has caused controversy for the social media giant, raising concerns from privacy advocates, eliciting mixed reviews from the cybersecurity community, and causing widespread confusion among Twitter users.
Here’s an excerpt from Twitter’s official announcement:
“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”
When announcing its plan to make SMS-based 2FA a paid feature, Twitter took the unorthodox approach of highlighting the very legitimate limitations of phone-number based 2FA rather than highlighting its benefits. In this brief excerpt, Twitter (1) describes 2FA as popular, (2) admits that 2FA can be “used and abused by bad actors,” and (3) announces a plan to limit 2FA to paying customers only. No wonder why folks are confused!
Is there a method to the madness? To find out, we’ll dive into both the strengths and weaknesses of SMS-based 2FA, take a look at the macroeconomic pressures informing Twitter’s decision to begin charging for the service, and finally study the potential implications of this bold move on the digital authentication landscape at large.
Why has phone-number based 2FA been “historically popular”?
Two-factor authentication is a common subset of Multi-Factor Authentication (MFA). In Twitter’s case, the user’s first credential is their username and password. If they have 2FA activated, the user’s second credential is a unique string of numbers known as a one-time passcode that is sent to their registered phone via SMS. At Prove, we call this ‘running a possession check.’
Phone-number based 2FA is popular because it doesn’t require the user to download an authentication app. It’s as simple as receiving an SMS. Unfortunately, as the Twitter statement rightly pointed out, 2FA also has some major security vulnerabilities.
What are the limitations of SMS-based 2FA?
Despite their popularity, SMS-based 2FA has security vulnerabilities that are worth noting as fraudsters have developed a playbook to steal a victim’s OTP via a SIM swap fraud.
With SIM swap attacks, fraudsters can surreptitiously take over a victim’s phone, intercept the OTP, and successfully enter into a victim’s account in just minutes. There are multiple reports outlining the devastating effects of SIM swap fraud on a victim’s life.
SIM swap attacks are a common way for fraudsters to bypass many MFA flows by intercepting OTPs. A study by Prove, which analyzed over 385,000 SMS and voice OTP-based transactions across industries, found that 5% of them had low SIM tenure, indicating a high possibility of a recent SIM swap or an account takeover. Another recent study on the top five US prepaid carriers highlighted that 80% of SIM swap attacks were successful because of authentication vulnerabilities.
If SMS-based 2FA is vulnerable to attack, why is Twitter turning it into a paid feature?
For the money, of course. As their old model of ad revenue implodes, the social media giants are searching for new ways to cut costs and boost revenue. Charging users for 2FA achieves both these goals.
Cutting Costs: The cost of generating these OTPs and sending them via SMS can be significant. In December, Musk aired his grievances against the telcos and the fees they impose on Twitter Spaces:
“…I discovered this, basically, about 10 days ago, that Twitter was being scammed to the tune of 60 million dollars a year for SMS texts, not counting North America… Basically, there are telcos who are not being super honest out there, in other parts of the world, who were basically gaming the system and running, like, two-factor authentication SMS texts over and over again, and just creating a zillion bot accounts to literally run up the tab so that Twitter would SMS text them, and Twitter would pay them millions of dollars, without even asking about it.”
If bots outside of North America were costing Twitter $60 million annually, imagine how expensive the entire 2FA program is overall. Although most companies consider MFA simply the cost of doing business in the modern age, the difficult economic environment for tech companies is causing many CEOs to search for savings everywhere. It’s no coincidence that the shift toward passwordless technology has accelerated in the past year across industries, resulting in many companies achieving savings by eliminating pricey OTPs, bolstering security, and improving user experience.
Boosting Revenue: By folding SMS-based 2FA into Twitter Blue rather than phasing it out entirely, Twitter is betting that the added security benefits will entice new customers to pay for its premium service. While charging customers for services that were previously free is never going to win you any popularity contests, Twitter charging users for 2FA is a bit like General Motors charging drivers for seat belts.

Of course, Twitter is far from the only company searching for ways to monetize digital identity. Meta is now selling verified blue checks on Facebook and Instagram for $11.99 a month on the web or US$14.99 on iOS and Android.
Closing Thought
Twitter's decision to charge consumers for SMS-based 2FA is a great example of doing the right thing for the wrong reason. By disabling 2FA for the vast majority of their customers who do not pay for the premium service, Twitter is phasing out a security service that has long had major security vulnerabilities. This should be celebrated. That being said, removing 2FA is easy compared to what happens next. To improve security, Twitter should go passwordless and replace OTPs with a more sophisticated, more powerful solution like Prove Auth. Ultimately, removing even an imperfect solution like SMS-based 2FA without a plan to replace it with better technology is irresponsible and could result in a bonanza for fraudsters. If the phasing out of SMS-based 2FA results in increased fraud, the resulting PR nightmare will far outweigh the cost of sending out OTPs.

The modern
way of proving identity
Trusted by 2500+ leading companies to reduce fraud and improve consumer



Keep reading
Read the article: How to Achieve More B2B Customer Growth With Prove Pre-Fill® for BusinessProve Pre-Fill® for Business provides a comprehensive solution for organizations that want to onboard businesses by delivering faster onboarding, a decrease in abandonment, and a reduction in fraud (relative to attack rate).
Read the article: Account Takeovers: The Silent Revenue KillerAccount takeover (ATO) fraud is rapidly becoming one of the biggest threats facing digital marketplaces and gig platforms. Learn how ATO attacks work, why they are accelerating, the latest fraud trends and statistics, and how continuous identity verification helps organizations prevent account takeovers while protecting revenue, customer trust, and user experience.
Read the article: The Silent Drain: How SMS Pumping Is Bleeding Digital Marketplaces DrySMS pumping fraud is silently increasing verification costs for digital marketplaces by exploiting OTP workflows. Explore how these attacks operate, why traditional SMS authentication is failing, and how proactive phone intelligence can prevent fraud before an SMS is sent.