Cyber leaders mock Twitter decision to yank 2FA for non-subscribers
Twitter quietly announced plans last week that it would remove two-factor authentication for all unpaid accounts in an effort, it says, to reduce abuse of phone-based 2FA by threat actors.
“To date, we’ve offered three methods of 2FA … unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors,” officials said in the announcement. “Starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”
Twitter is giving non-subscribers already enrolled in the 2FA phone-based method just 30 days to disable it and enroll in another authentication method. After March 20, all non-paid-subscribers will not be allowed to use text messages as a 2FA method.
What’s more, Twitter intends to disable all accounts with text message 2FA still enabled at that time. Officials are encouraging non-subscribers to use an authentication app or another security key instead.
Source: SC Media