SMS shutdown: secure your twitter account now

If you’ve logged into Twitter over the past couple of days, you may have seen a stark warning: Twitter plans to shut down two-factor authentication by SMS message unless you becoming a paying subscriber.

The crass way this has been communicated has led many to argue that Twitter is trying to blackmail customers into subscribing to Twitter Blue for a minimum £8 per month ($8 in the US, $12 in Australia). In fact, Twitter’s doing you a favour. There are free alternatives to SMS authentication that are much more secure than text messages.

How to secure a free Twitter account

SMS is a relatively insecure way of providing two-factor authentication. SMS messages aren’t encrypted and can be intercepted. Criminals have also been known to use SIM swap hacks, where they effectively hijack your phone number, allowing them to receive the code that grants them access to your Twitter account. Twitter founder Jack Dorsey had his own Twitter account hijacked by that exact method. It was time to dump SMS verification anyway. Twitter’s just given you a nudge.

Twitter still offers two alternative methods of two-factor authentication for free, both of which are superior.

The first is a hardware key, such as the YubiKey devices. You either have to insert this key into a computer’s USB slot or press it against your phone’s NFC reader to verify it’s you. It’s a good solution, but one that comes at a cost. Those keys start at around £50 each in the UK.

The free alternative is to rely on an authenticator app. For this, we’d recommend Authy, which works across all the major desktop and mobile operating systems. Authy spits out a unique six-digit code that you must enter when you attempt to log in to Twitter on a new device. The code changes every 30 seconds, so there’s minimal risk of someone being able to nab your code.

Authy works with all manner of different apps and services for two-factor authentication, and it’s very simple to use. We suggest you install Authy on more than one device so that if your mobile phone is stolen or broken, you still have access to those vital 2FA codes and won’t get locked out of your accounts.

How To set up Twitter to work with Authy

Fortunately, setting up Twitter to work with Authy involves only five simple steps.

1. First install Authy, taking particular care to note down the Authy backup password. It’s also a good idea to secure your Authy app with the fingerprint reader on your phone, when offered, to prevent anyone from picking up a phone left on a desk, say, and getting access to your security codes.
2. Open the Twitter app on your mobile phone and press the profile icon in the top-left corner. Now select Settings and privacy > Security and account access > Security > Two-factor authentication.
3. Switch off Text message if that’s still active.
4. Now from that same menu, select Authentication app.
5. In the screen that follows, you should be asked to link an authentication app to your Twitter account. Choose Authy and follow the on-screen instructions. You’ll be asked to enter a code from Authy at some point during the set-up procedure.

Once that’s all set up, you’ll be asked to provide a code from Authy every time you attempt to log in to Twitter from a new device.

If you’re running an account for a business or a brand, you’ll need to think about how you manage this security process, as only one person can have the Authy codes. They will need to be instantly contactable every time someone attempts to use Twitter from a new device, as those codes refresh every 30 seconds.

For more about securing your business, read our explainers on endpoint security and ransomware.