Twitter Removed My Two-Factor Authentication Without Notice



This morning, I woke up to an email from verify@twitter.com that said:

Twitter two-factor authentication is now off

You’ve turned off two-factor authentication for @JonasBorch This means you’ll no longer have this added protection when you log in to Twitter. Your account will be more vulnerable to compromise. You can turn on two-factor authentication any time in the Account > Security section of your Twitter settings.

Email from Twitter saying my 2FA has been turned off
The email I received from Twitter this morning.

Shocked isn’t even the right word

As I’m the founder of Hacked.com and work with cybersecurity daily, I feared that someone for a change had managed to hack me! The message I received from Twitter today is often a message one would receive if an active hack attack is occurring. I immediately logged into Twitter to figure out what had happened. Thankfully, I could still log in, but when I went to Settings -> Security and account Settings -> Security -> Two-Factor Authentication, I saw that I had zero enabled two-factor authentication (2FA) methods.

My 2FA methods were disabled on Twitter.

Why is this an issue?

Without a two-factor authentication method enabled, a hacker or phisher only needs your password to take over your account. And as we all know, passwords can leak, be brute forced, be given away by mistake (social engineering), and so forth. It’s not safe to rely on passwords alone. We at Hacked.com and all other cybersecurity experts recommend using two-factor authenticators to enhance online security.

Twitter’s Explanation

So what happened? Why was my 2FA disabled? After a few seconds, I found the following message on Twitter when trying to re-enable the 2FA Text message option:

Choose a different verification method. This two-factor authentication method is only available to Twitter Blue subscribers. Please select a different method. Learn more about two-factor authentication.

 

Which then took me to a page with a notice saying:

Notice:

Effective 20 March 2023, we will no longer support two-factor authentication using text messages for non-Twitter Blue subscribers. At that time, if you have text message 2FA still enabled, you will be prompted to disable it before you can continue to use your account. Please note the availability of text message 2FA for Twitter Blue may vary by country and carrier. Learn more here.

I understand that Elon Musk wants to make Twitter profitable, but I am appalled that I didn’t receive a notice by email before the change. I should also have received a big red notice on Twitter for the past 14 days telling me to change my 2FA method as it would be removed from my account. It’s not enough with a hidden update on Twitter’s blog.

And no, I do not want to pay to use Twitter, Elon. I’ve also blocked your tweets from reaching my feed, as you have been spamming me lately.

A good thing..

My account wasn’t hacked, and I’ve secured it with new two-factor authentication methods. The Text Message option is considered a weaker 2FA method than, for example, a security key or authentication app due to the possibility of sim hijacking, swapping, or sim cloning. Maybe it was a good thing that Elon removed that option for me. Just remember to have backup options or backup codes!

Featured image by Midjourney and Jonas Borchgrevink.