Science
Twitter will remove free SMS 2FA or two-factor authentication. Here's what you can use instead
Last month, Twitter announced it was ending free SMS two-factor authentication.
You may have seen this news, and you may well have done nothing to prepare.
The date of the change is almost here. From Monday, March 20, people who haven't paid $13 a month to subscribe to Twitter Blue will have two-factor authentication (2FA) via SMS disabled.
Here's what that means, what effect it could have on the platform, and how you can make your account just as secure for no extra cost.
It's an extra layer of security designed to prevent your account being taken over if your password is compromised.
The most common form is SMS 2FA. Once you've entered your password to log into an account, the authentication system sends your phone an SMS with a code. You enter this code on the website to prove you are the owner of the account.
Other forms of 2FA are software-based authentication tokens and hardware keys. We'll get to those later.
Basically, banks, social media platforms, and other security-conscious organisations generally see 2FA as a good and useful thing, especially since many people riskily reuse passwords for several platforms.
For this reason, SMS 2FA is usually offered free of charge.
Twitter's owner, Elon Musk, has given two different reasons. One is about money. The other, security.
Last month, Mr Musk tweeted that phone companies were scamming Twitter of $US60 million per year by sending "fake" 2FA SMS.
Despite known vulnerabilities, SMS-based two-factor authentication is used as a security measure by several major organisations, including the Big 4 banks.
That is, Twitter has to pay for those 2FA SMS, and telcos were gaming the system.
In another tweet, he said other authentication apps (ie 2FA soft tokens) were "more secure than SMS".
Troy Hunt, an internet security expert, agreed, saying "generally, SMS is considered to be the weakest" in the "security hierarchy" of 2FA methods.
This is because an attacker can trick a phone company into assigning the target's phone number to a new SIM card, so the attacker receives the 2FA text. This fraud is known as "sim jacking". 
Many have pointed out that paid-up Twitter Blue users will still have access to SMS 2FA, which is hard to square with Mr Musk's claim that boosting security was the reason for the decision to cancel free SMS 2FA.
"If it's about security, they should [cancel SMS 2FA] for everyone, for Twitter Blue users," Mr Hunt said.
"The irony there is Twitter Blue users are more invested in the platform."
Probably not a lot, Mr Hunt said.
Don't expect all hell will break loose on March 20.
"The number of people that have 2FA enabled on Twitter is in the single digits," Mr Hunt said.
Of these, some already have Twitter Blue. Some may upgrade to Twitter Blue. Others will switch to other methods of 2FA (we're getting to them). And of those that remain, most will not have passwords that have already been hacked.
"You have to imagine there'll be some degree of uptick in account takeover," Mr Hunt said.
These takeovers cost the individual as well as the organisation. Whether the predicted uptick in takeovers would cost Twitter more than $60 million a year was a "good question", he said.
You've got two options: authenticator apps and hardware keys.
The first of these is the simplest and cheapest. Download one (there are lots that are free). Then go to Twitter and click Settings and privacy > Security and account access > Security > Two-factor authentication and click Authentication app. Enter your password and click Confirm.
Authenticator apps aren't vulnerable to sim-jacking, but you can still be phished. That is, you might be tricked into sharing your password with the wrong person, often through them sending you to a webpage that looks identical to a platform's log-in page.
That leaves the final option: hardware keys.
This is a USB drive that plugs into your computer and provides a unique number, or "key", to authenticate yourself.
It's the most trusted option, but many people find them inconvenient. You have to have the key on you whenever you need to complete 2FA. 
Probably not much.
You'll still be able to use Twitter like before.
From March 20, you'll be prompted to disable 2FA before you can continue to use your account.
The only real change will be a hard-to-quantify but significant increase in the risk of having your Twitter account hacked.
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)

source