Twitter announced Friday that as of March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for unpaid users has left security experts scratching their heads.
Twitter’s two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.