[ravivyas]

Two points in a single sentence (ok 1 or 2 lines, not a single sentence)

> While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.

This is a cost cutting measure. The irony is that "Blue" users are probably are the ones to be attacked, and they are by no means more conscious about security.

On a lighter note, I have won more lotteries on email when compared to SMS

[nerdjon]

I am super confused about how they could write that with a straight face.

Like what does "you have to pay us to use this feature" have ANYTHING to do with the flaws that SMS 2FA has? Does paying get you someone to look at every login attempt or something? Otherwise... the blue checkbox kinda paints a target on your back?

[CuriousCosmic]

I'm guessing it's something like "pay us for the hassle of having to clean up your mess when you end up getting hit". But the reality of it is "please pay for twitter blue. we can't just make the whole site blue only so we'll piecemeal each bit of functionality until we can just make the site paid-for only."

[nerdjon]

Yeah that's exactly what it is, them desperately trying to find reasons to force people to pay.

This one in particular is just a very odd choice. Pushing people away from SMS 2FA is one thing, but not like this.

[chaps]

I think you missed the point of their comment -- you both agree with each other.

[nerdjon]

I am referring to the comment the OP is talking about. Updated to make that clear.

[JdeBP]

A lot of people think that this is cost cutting. It isn't.

What people are missing is that the Twitter Blue people who paid for Twitter are the people that Twitter doesn't want to stop paying. They would if this hit them, because _even though_ security professionals know that SMS-based two-factor authentication is a security problem, and even though getting rid of it has been widely propounded by Microsoft and others for almost half a decade now (Microsoft having doco going back to 2018), the userbase still sees it as "getting rid of security" and the loss of a perquisite.

Just witness the headlines and news coverage in the past 24 hours: "Twitter will now charge to secure your account", "security features that could put a large number of the site’s members at risk if disabled", and so forth.

Amusingly, the best headline today is probably Charisma Madarang in Rolling Stone magazine: "Twitter to Allow Only Blue Subscribers to Use Worst Form of Authentication" (https://www.rollingstone.com/culture/culture-news/twitter-bl...) M. Madarang even reminds us that Jack Dorsey fell victim to this very vulnerability in 2019.

Remove this authentication choice from Twitter Blue people, and they stop paying for Twitter Blue, because they too, like the headline writers, don't see this as finally taking away something that has made them as vulnerable as Jack Dorsey was for years. So, ironically, in order to keep them paying, the Twitter Blue people get disadvantaged by Twitter. Security improvements are sacrificed in order to retain a revenue stream.

[Popeyes]

The FTC recently fined Twitter for using 2FA numbers in ad targeting. I wonder if the Blue sub includes a clause about being able to use numbers in such a way. Or the fine has reduced the value of having those numbers.

[hn_throwaway_99]

Yeah, I'm honestly offended about them saying it has anything to do with security. This is 100% solely a cost cutting measure.

As a result of this, I guarantee that tons of users will just go without any 2FA solution at all (it's still optional) which will end up being much less secure for the vast majority of users.

[ed25519FUUU]

I’d like to see required phone numbers when signing up (presumably for my “safety”) eliminated absolutely everywhere.

It’s a way to gather PII which of course they eventually get hacked and leak.