When SMS (Short Message Service) text messaging was invented, it wasn't designed to be used as a security method. However, that didn't stop developers from using it as one, with platforms sending users security codes to access their most important accounts.
While the practice of using SMS 2-factor authentication is slowly being phased out, the news of Twitter starting to only make the feature available to those who subscribe to Twitter Blue has brought the vulnerable technology back into the public conversation.
Twitter users who “secure” their accounts using text message codes will lose the ability to do so after March 19 unless they subscribe to Twitter Blue. Twitter is likely making the change because the company is trying to cut costs and it actually costs the company money to send text messages and the feature is insecure anyway.
However, the more secure option of using an authenticator app will still be available to all users, meaning that the change should result in many more users switching away from the insecure feature of SMS 2-factor authentication.
SMS-based 2-factor authentication (2FA) is less secure than other forms of 2FA because it is vulnerable to a number of attacks:
SIM Swaps: In a SIM swap attack, a hacker impersonates a victim and convinces the victim's mobile carrier to transfer the victim's phone number to a SIM card controlled by the hacker. Once the hacker has control of the phone number, they can intercept SMS-based 2FA codes sent to the victim's phone and use them to gain access to the victim's accounts. Even Twitter CEO's Jack Dorsey was once hacked using this method.
Social Engineering: Attackers can use social engineering tactics to trick victims into revealing their SMS-based 2FA codes. For example, an attacker might send a phishing email or text message that appears to be from a legitimate source and ask the victim to enter their 2FA code.
Interception: SMS messages are not encrypted, so they can be intercepted and read by anyone who has access to the mobile network. This means that an attacker could potentially intercept the 2FA code and use it to gain access to the victim's accounts.
Phone theft: If a victim's phone is stolen, an attacker may be able to access their accounts if the phone is not secured with a passcode or other security measures.
Because of these vulnerabilities, SMS-based 2FA has never been considered a secure form of 2FA. More secure alternatives include time-based one-time passwords (TOTP) generated by an authenticator app or hardware-based security keys like YubiKeys.