(WHTM) — On Wednesday, Feb. 15, 2023, Twitter posted a message on their blog entitled “An update on two-factor authentication using SMS on Twitter”.

Two-factor authentication is frequently abbreviated as 2FA, and it’s a standard method of applying an additional layer of protection to online accounts, everything from emails to online banking to-well, just about everything.

Two-factor authentication changes logging into an online account from a two-step to a three-step process, which can be kind of annoying when you already have trouble enough remembering your password, but seriously it’s worth the trouble.

Get daily news, weather, breaking news and alerts straight to your inbox! Sign up for the abc27 newsletters here

So step one, you go to an online site, and enter your username. Step two, you enter a password. At this point, 2FA kicks in. You will then be given a code number, which you then enter on the site, hit enter, and voila! You are granted access to the site.

How you get the code is something you have to set up. You can use an authentication app. This is a program that you download to your computer/phone/tablet/multifunction coffeemaker. Once you get it installed and enabled it will generate a random number when you log onto a website. You then enter this number to create the supply of the second identification.

Another method is to use a security key, a physical device you plug into your computer, usually through a USB port. You enter the accounts you want to be watchdogged, and they will then only be accessible when the key is plugged in.

Both these methods provide excellent security, but they can be a bit fiddly to set up. (And heaven help you if the cat accidentally bats your security key down a mousehole.) But by far the most popular method of two-factor authentication is SMS.

SMS is an abbreviation for Short Message Service or sometimes Short Messaging Service. Most of the time we just call it “sending a text” or “texting.” Setting up SMS/2FA is very easy-web sites will usually have a spot where you can activate it with a few mouse clicks. Then, when you log onto a site, you will, depending on the method you select, get a text message or email message with a code number to enter, which is usually valid for just a few minutes. (Some sites can also send you a number by an automated phone message.)

SMS is hands down the simplest of the three methods, and the most popular. Unfortunately, it’s also the least secure. Hackers are finding all sorts of ways to harvest information from SMS texts. The topic is worthy of an article in itself, which thankfully has already been written.

Which brings us back to the Twitter blog. It announces that because “we have seen phone-number based 2FA be used – and abused – by bad actors”, they are no longer allowing people to sign up for it. The post goes on to announce that after March 20, “At that time, “accounts with text message 2FA still enabled will have it disabled.”

This announcement, not surprisingly, is enough to have a lot of people in an uproar, but the post also announces SMS verification will still be open to Twitter Blue subscribers, an $8/month service “that adds a blue checkmark to your account and offers early access to select features.” This has people doubly infuriated; Twitter Blue was once a free service, and now SMS verification is also being put behind a paywall.

So how much is SMS fraud costing Twitter? Elon Musk, the owner of Twitter, responded to a recent post claiming that the company was losing $60 million a year due to scam SMS with a one-word answer – “Yup.”

Whether the figure is correct or not, security experts are asking if SMS is so dangerous and costly, why continue to offer it at all? To see the original Twitter blog post, click here.