11 comments

[ 2.0 ms ] story [ 37.1 ms ] thread
Twitter just made me disable my SMS 2FA setting, reserving the feature for twitter blue users. It's a weird decision on their part, they still allow me to use an MFA application or a hw key, just not SMS. SMS 2fa is understood to be the least secure form of MFA so I am surprised Twitter only reserves it for their twitter blue users.
I guess it actually makes a lot of sense, this is because sending SMS costs money, sometimes quite a lot when you are doing it at scale, if the user is paying you at least recoup those expenses.
Does this mean twitter no longer immediately disables new accounts when they fail to add a phone number for receiving 2FA?
Probably. I don't have 2fa enabled right now. Although I will probably switch to google auth very soon.
The rationale is that 2FA was being abused by some telcos with sockpuppets at a net cost of (ostensibly) some 50+Million a year for twitter.

If that's true, and because it's the least secure MFA option, I don't see it being that difficult or controversial of a decision.

I also do enjoy that this is listed as an 800% increase, not really how 0->$8 works.

Whoever made this page, certainly isn't being completely honest. Twitter is only charging for SMS based 2FA... which is far less secure than the freely available options offered... if people want to pay for the SMS based and be less secure, that is their prerogative.
Whoever made this page also wasn't smart or thinking straight, $0 to $8 is not a 800% increase LOL, that doesn't even make sense.
Yeah, to be honest this is a bit lame. The page links out to the original inspiration, https://sso.tax/, which is useful and highlights a very common, bad practice in pricing for business software.
If anything, they should be calling out the companies that only allow SMS based 2FA and don't offer any app based MFA solutions. (And there are still plenty of these companies)
Yeah, I find it the height of hypocrisy that Google talks about the dangers of SMS-based 2FA, but Firebase, the development PaaS owned by Google, only offers SMS 2FA for their auth product despite years of complaints.