Twitter's two-factor authentication (2FA) service via SMS is no longer free. Twitter users who wish to enable 2FA via SMS must subscribe to Twitter Blue.
In its official announcement, Twitter said that this new policy would take effect after March 20, 2023. So Twitter users who do not subscribe to Twitter Blue and have activated 2FA via SMS have 30 days to deactivate it.
"After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use SMS as a 2FA method," Twitter said in a blog post.
"At that time, accounts with 2FA via SMS still active will be deactivated. Turning off 2FA SMS will not automatically disconnect your phone number from your Twitter account," he continued.
Twitter users who still want to use 2FA via SMS must subscribe to Twitter Blue for IDR 120,000 per month (or IDR 165,000 per month via Android and iOS). As an alternative security method, Twitter advises users to enable 2FA using an authenticator app or physical security key.
Twitter argues that although SMS is the most popular 2FA method, it can be abused by irresponsible people. For example, with a SIM swap attack where hackers can convince mobile operators to switch user numbers to devices controlled by hackers.
According to data uploaded by hacker Rachel Tobac on Twitter, currently only about 2.6% of Twitter users activate 2FA. But of that 2.6%, 74% use 2FA via SMS.
Apart from security concerns, money seems to be the reason why 2FA via SMS is no longer free. Sending SMS to provide users with 2FA codes costs money, and Twitter's financial condition is not good right now.
Twitter CEO Elon Musk has also complained about this before. In a tweet, Musk said Twitter was "snagged" by mobile operators $60 million a year for fake 2FA SMS.