Should Twitter Charge for SMS 2FA If a Better Option Already Exists?

Can you put a price tag on security? According to Twitter executives, you can. For $8 a month, the cost of Twitter’s premium service Twitter Blue, customers can continue to enjoy the added security benefits of 2-factor authentication. Users who do not subscribe to Twitter Blue will be booted from phone-number based 2FA, a service that was previously free, in 30 days. The product announcement has caused controversy for the social media giant, raising concerns from privacy advocates, eliciting mixed reviews from the cybersecurity community, and causing widespread confusion among Twitter users. 

Here’s an excerpt from Twitter’s official announcement:

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

When announcing its plan to make SMS-based 2FA a paid feature, Twitter took the unorthodox approach of highlighting the very legitimate limitations of phone-number based 2FA rather than highlighting its benefits. In this brief excerpt, Twitter (1) describes 2FA as popular, (2) admits that 2FA can be “used and abused by bad actors,” and (3) announces a plan to limit 2FA to paying customers only. No wonder why folks are confused! 

Is there a method to the madness? To find out, we’ll dive into both the strengths and weaknesses of SMS-based 2FA, take a look at the macroeconomic pressures informing Twitter’s decision to begin charging for the service, and finally study the potential implications of this bold move on the digital authentication landscape at large.

Why has phone-number based 2FA been “historically popular”? 

Two-factor authentication is a common subset of Multi-Factor Authentication (MFA). In Twitter’s case, the user’s first credential is their username and password. If they have 2FA activated, the user’s second credential is a unique string of numbers known as a one-time passcode that is sent to their registered phone via SMS.  At Prove, we call this ‘running a possession check.’ 

Phone-number based 2FA is popular because it doesn’t require the user to download an authentication app. It’s as simple as receiving an SMS. Unfortunately, as the Twitter statement rightly pointed out, 2FA also has some major security vulnerabilities.

What are the limitations of SMS-based 2FA? 

Despite their popularity, SMS-based 2FA has security vulnerabilities that are worth noting as fraudsters have developed a playbook to steal a victim’s OTP via a SIM swap fraud.

With SIM swap attacks, fraudsters can surreptitiously take over a victim’s phone, intercept the OTP, and successfully enter into a victim’s account in just minutes. There are multiple reports outlining the devastating effects of SIM swap fraud on a victim’s life. 

SIM swap attacks are a common way for fraudsters to bypass many MFA flows by intercepting OTPs. A study by Prove, which analyzed over 385,000 SMS and voice OTP-based transactions across industries, found that 5% of them had low SIM tenure, indicating a high possibility of a recent SIM swap or an account takeover. Another recent study on the top five US prepaid carriers highlighted that 80% of SIM swap attacks were successful because of authentication vulnerabilities. 

If SMS-based 2FA is vulnerable to attack, why is Twitter turning it into a paid feature?

For the money, of course. As their old model of ad revenue implodes, the social media giants are searching for new ways to cut costs and boost revenue. Charging users for 2FA achieves both these goals.

Cutting Costs: The cost of generating these OTPs and sending them via SMS can be significant. In December, Musk aired his grievances against the telcos and the fees they impose on Twitter Spaces: 

“…I discovered this, basically, about 10 days ago, that Twitter was being scammed to the tune of 60 million dollars a year for SMS texts, not counting North America… Basically, there are telcos who are not being super honest out there, in other parts of the world, who were basically gaming the system and running, like, two-factor authentication SMS texts over and over again, and just creating a zillion bot accounts to literally run up the tab so that Twitter would SMS text them, and Twitter would pay them millions of dollars, without even asking about it.”

If bots outside of North America were costing Twitter $60 million annually, imagine how expensive the entire 2FA program is overall. Although most companies consider MFA simply the cost of doing business in the modern age, the difficult economic environment for tech companies is causing many CEOs to search for savings everywhere. It’s no coincidence that the shift toward passwordless technology has accelerated in the past year across industries, resulting in many companies achieving savings by eliminating pricey OTPs, bolstering security, and improving user experience. 

‍Boosting Revenue: By folding SMS-based 2FA into Twitter Blue rather than phasing it out entirely, Twitter is betting that the added security benefits will entice new customers to pay for its premium service. While charging customers for services that were previously free is never going to win you any popularity contests, Twitter charging users for 2FA is a bit like General Motors charging drivers for seat belts. 

Of course, Twitter is far from the only company searching for ways to monetize digital identity. Meta is now selling verified blue checks on Facebook and Instagram for $11.99 a month on the web or US$14.99 on iOS and Android.

Closing Thought

Twitter's decision to charge consumers for SMS-based 2FA is a great example of doing the right thing for the wrong reason. By disabling 2FA for the vast majority of their customers who do not pay for the premium service, Twitter is phasing out a security service that has long had major security vulnerabilities. This should be celebrated. That being said, removing 2FA is easy compared to what happens next. To improve security, Twitter should go passwordless and replace OTPs with a more sophisticated, more powerful solution like Prove Auth. Ultimately, removing even an imperfect solution like SMS-based 2FA without a plan to replace it with better technology is irresponsible and could result in a bonanza for fraudsters. If the phasing out of SMS-based 2FA results in increased fraud, the resulting PR nightmare will far outweigh the cost of sending out OTPs.

‍

‍