SMS 2FA for Twitter accounts: what security teams should rethink

TL;DR: Twitter is restricting SMS-based 2FA to paid subscribers after reporting more than $60 million in annual losses from abuse, while Wired noted that only 2.6% of users had 2FA enabled and the FTC put social-media impersonation fraud at up to $1.2 billion in 2022. The real issue is not whether SMS is convenient, but that account security still depends on a weak factor that attackers routinely exploit.

NHIMG editorial — based on content published by 1Kosmos: Twitter's SMS 2FA rollback and the case for stronger account verification

By the numbers:

• Twitter says the price tag tops $60 million in annual losses.
• As recently as last July, only 2.6% of Twitter users had 2FA of any kind enabled.
• As many as 99.9% of all compromised accounts across industries aren't 2FA-enabled.

Questions worth separating out

Q: How should organisations reduce account takeover risk without relying on SMS 2FA?

A: Move high-risk accounts to phishing-resistant factors such as security keys or authenticator apps, then harden recovery and support flows so they are not easier to abuse than login.

Q: Why does SMS 2FA fail in practice for sensitive accounts?

A: SMS 2FA fails because it depends on a delivery channel that can be intercepted, redirected, or socially engineered.

Q: What do security teams get wrong about multi-factor authentication?

A: Many teams assume that adding any second factor solves the problem.

Practitioner guidance

• Phase SMS out of high-risk account journeys Remove text-message 2FA from admin, creator, finance, and brand accounts first.
• Harden recovery and re-enrolment paths Treat password reset, device change, and factor re-binding as privileged workflows.
• Prioritise phishing-resistant factors for exposed populations Use authenticator apps or security keys for users whose accounts have reach, revenue, or publication authority.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• How the vendor positions biometric-based identity verification as an alternative to SMS, app-based, and key-based 2FA.
• The certification claims and assurance references the vendor uses to support its passwordless authentication approach.
• The subscription and account-tier use cases the vendor says could benefit from stronger identity verification.
• The vendor's view of how verified identity could change trust for creator, business, and multi-user brand accounts.

👉 Read 1Kosmos's article on replacing SMS 2FA with stronger account verification →

SMS 2FA for Twitter accounts: what security teams should rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →