Twitter has been criticised for its move to make users pay for SMS-based two-factor authentication, with an expert warning that security on the platform is about to get worse.

Last week it was announced that only paying subscribers to Twitter would be able to use two-factor authentication (2FA) via text message from next month.

Two-factor authentication is an important security tool which requires users when entering their password to also enter a code or security key. This code can either be offered through an SMS, an authentication app or physical security key.

Text message two-factor authentication, although seen to be significantly less secure than the other options, is more commonly used and still seen as better than no protection.

In a blog post on the changes, Twitter said that non-paying users would have 30 days to enrol in a different authentication method before it is disabled entirely.

“While historically a popular form of 2FA, unfortunately we have seen phone number-based 2FA be used – and abused – by bad actors,” the Twitter blog post said.

“So starting today, we will no longer allow accounts to enrol in the text messages / SMS method of 2FA unless they are Twitter Blue subscribers.”

According to the most recent figures, only 2.6 percent of Twitter users have two-factor authentication turned on, but nearly 75 percent of these users are doing this via SMS verification.

Now only those paying for Twitter Blue will be able to use this method of two-factor authentication.

Twitter Blue is the new subscription service for the platform launched by new CEO Elon Musk. The service costs users $19 per month on iOS and $13 per month on the web.

This means that cyber security on Twitter will likely get significantly worse with these changes, associate dean of mathematical sciences within the School of Science at RMIT University, Professor Asha Rao, said.

“With Twitter’s latest policy, we may see even fewer people using two-factor authentication because they don’t realise it can be done another way, such as an app like Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile or 1password,” Rao said.

“Social media companies could be creating technology solutions to authentication and building these solutions into their platforms. But, thus far, we haven’t seen any of the social media giants proactively tracking cyber security in this way.”

There are also concerns that Twitter’s move will make SMS two-factor authentication seem like a premium feature for paying users, despite it being a less secure form of the service.

Social media companies need to be doing more to address cyber security, Rao said.

“Social media already has a problem with cyber security,” she said.

“We are lacking in both incentives for positive behaviour and repercussions for social media companies who fail to protect the vast amounts of data they collect on users.

“By contrast, the consequences of insecure data in the banking and finance sector are obvious to all and the expectations of companies in this space – both legally and socially – reflect that. This is not the case for companies like Twitter or Meta, which have poor cyber security practices and policies.”

Two-factor authentication via text message is seen as less secure due in part to the prevalence of “SIM swapping” attacks, where a hacker uses personal information to convince a mobile carrier to transfer the victim’s mobile number to a new SIM card.

This then allows the criminal actor to send and receive messages on the victim’s behalf, and to bypass two-factor authentication if it is turned on using SMS.