Twitter’s changes to MFA: What the move means for the future of authentication

A recent announcement by Twitter has begun to rock the multi-factor authentication (MFA) boat, and the ripples have spread throughout the tech world. The company announced that starting on March 20, 2023, unless a user is subscribed to its Twitter Blue program (an $11/month subscription), they will lose access to SMS-based two-factor authentication (2FA). SMS has historically been put forth as a low friction mechanism that offloads several security and recovery functions to users’ mobile carriers. 

Recent history has shown not all MFA is created equal, highlighted by weaknesses in SMS-based 2FA from SIM Swapping and Social Engineering attacks. There is also a hard cost that comes to companies that choose to enable SMS 2FA. 

When sending SMS codes to devices, the communications is relayed through a third party, like a phone company or messaging service. These messages are automated as part of the login flow. At a small scale, this may seem to be a negligible cost when compared to other methods. However, for large service providers like Twitter, abuse of these mechanisms can be a very costly proposition.  Bad actors can use this method by creating fleets of accounts and then sending unanswered MFA messages in SMS Pumping attacks.  

Legitimate accounts can also be compromised in account hijacking or identity theft scenarios via SIM Swapping and social engineering. Even for small and medium sized businesses, third party costs related to SMS can expand – especially if the service is that target of pumping.  

Fortunately, by adopting alternate modern MFA methods like FIDO2/WebAuthn, service providers can maintain ease of use and flexibility in its MFA workflows and cut out major costs and risks associated with SMS

The future of MFA with FIDO2 and WebAuthn

The WebAuthn standard, also known as FIDO2, describes user-friendly and cryptographically secure authentication methods that are flexible, modern and do not require additional costs for the service provider. It’s supported by all modern operating systems and browsers, and can leverage built-in authentication features of devices such as computers and phones – or even more secure options like external security keys. Yubico, the inventor of the YubiKey, which is the gold standard for hardware security keys, also created and continues to contribute to the FIDO2/WebAuthn standards.

Since mid-2019, Twitter has provided customers the option of WebAuthn, and it is the company’s preferred MFA method for its internal employees as well. Twitter also  supports it as the only MFA method that users can select that does not require a phone number – helping to enhance privacy and anonymity. Instructions for enrolling WebAuthn devices can be found on Twitter’s Knowledge Base here.

WebAuthn is the de facto phishing-resistant MFA standard that allows end users to associate their security keys or security devices across a wide array of services. Since users bring their own authenticator, and the standard is free to use, companies can provide highly secure MFA that doesn’t incur unexpected transactional cost. Twitter, by essentially retiring SMS 2FA methods for non Twitter Blue subscribers, is taking a bold step forward in both controlling their costs AND guiding users to stronger, easier to use authentication methods.

To find out which YubiKey is right for you, we encourage Twitter users and others who are looking for a modern MFA alternative to SMS or authenticator apps to take Yubico’s quiz. A great option for Twitter users is the newly updated Security Key Series, which offers high security for all online accounts via FIDO-based phishing-resistant MFA. You can see all of our security key options and form factors via our store.

Talk to our teamTalk to our team

Share this article:


  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet
  • We’re excited for what’s to come – meet us in-person to find out whyIt’s been a busy year for our team, filled with exciting company and product updates aimed at better serving our customers and helping them achieve cyber resilience as AI-driven phishing threats continue evolving globally. Between industry award recognitions and key new executive leadership hires to lead Yubico to its next stage of growth and a […]Read more
  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST