Twitter charges for two-factor authentication

Two-factor (or multi-factor) authentication is a method of increasing the level of security when accessing online services, such as social media or banking services. In addition to the username and password, an additional security code is required, which either arrives via SMS or is randomly generated through an application such as Google Authenticator, Microsoft Authenticator or others.

According to Twitter's statement, one would be led to believe that it intends to lower the security level of its users, but some clarification is needed.

Given the amount of vulnerabilities and security problems that the platform has suffered in the past, and the frequency with which the theft of various social media accounts takes place, here is a quick update on what is happening and what impact it could have on content creators who use Twitter to spread their work.

What really changes

There is actually very little to say: the change relates exclusively to authentication via SMS. The remaining methods via App Generator therefore remain fully functional, and are even more secure than the SMS mode.

Our suggestion, therefore, is to deactivate two-factor authentication via SMS in your account, and enable authentication via a dedicated app.

If you have not already activated two-factor authentication, it is strongly suggested that you use it to prevent someone from taking over your account using only the username and password.


The social media company's move, in my personal opinion, is legitimate and makes sense from an economic standpoint. According to statistics released by the company, of the registered users who use two-factor authentication, 74.4% use the SMS code.

Each SMS sent costs a few thousandths of a dollar, which when taken to the scale of Twitter users turns into '7-figure' costs (i.e. in the millions of dollars).

60 million a year, according to a tweet confirmed by Musk himself (I have not found more authoritative sources).

A figure achieved thanks to the fact that many bots were able to generate fictitious authentication requests by generating as many SMS messages, thus bringing a profit to telecommunications operators who decided to engage in this unethical tactic (again, apart from the exchange mentioned above, there are no official communications at the moment).

A bit like if a music label decided to auto-stream its own tracks on Spotify or other platforms (which obviously does not happen).

The second consideration that occurs to me is that SMS codes are already insecure in themselves. The number of so-called 'sim-swapping' attacks is increasing, especially in the US. This is a method of attack that allows the crook on duty to 'clone' someone's phone number and, consequently, divert messages to their own device.

That a publicly listed company with Twitter's budget and resources never realised how much the platform was being abused and looted by anyone with enough malice to do so is a story that perhaps deserves a post of its own.

About the Author

Sebastian Zdrojewski

Sebastian Zdrojewski

Founder, (He/Him)

Worked for 25 years in the IT industry facing cyber security, privacy and data protection problems for businesses. In 2017 founds Rights Chain, a project aiming to provide resources and tools for copyright and intellectual property protection for Content Creators, Artists and Businesses.