Here’s how to secure your Twitter account without paying for Blue

If you’ve been on Twitter lately, you might’ve seen a message prompting you to switch away from text message two-factor authentication (2FA). That’s because Twitter’s putting the feature behind a paywall, which means you either have to pay $8 per month for Blue or switch to another authentication method — and I think most of us would choose the latter.

Fortunately, SMS 2FA isn’t the only way to secure your Twitter account, with other methods still available for free. The platform’s shutdown of the feature — at least for non-Blue subscribers — is actually a good reminder that we shouldn’t be using it in the first place.

SMS 2FA leaves you vulnerable to SIM-swapping attacks, which usually happen when a bad actor uses social engineering or other access to get your mobile carrier to reassign your phone number to them. Once they’ve gained access to your number, the hacker can intercept the verification codes you receive over text messages or through phone calls when you try signing into your accounts, potentially allowing them to log in instead.

While Twitter plans on getting rid of SMS 2FA for non-paying users on March 19th, it won’t automatically migrate you to a new form of 2FA when the time comes. Twitter will actually disable 2FA for your account altogether if you don’t add a new authentication method. Here’s how to make the switch before Twitter discontinues the option.

Aside from SMS 2FA, you can either use an authenticator app or a security key as an extra layer of protection when logging into your Twitter account.

Authenticator apps, like Authy, Google Authenticator, and Microsoft Authenticator, typically generate one-time passwords (OTP) that change after a short period of time. Just like SMS 2FA, you can use these codes to access your accounts on the web, but you’ll find them in the app — not in your text messages. They also change quite frequently, so you’ll have a much more limited amount of time to enter them.

While this solution still isn’t immune to attacks, it’s safer than SMS 2FA, as it’s more difficult for a hacker to get access to the physical device where the authenticator app’s installed.

Security keys, on the other hand, are one of the safest forms of 2FA because the key itself verifies the service as valid to help prevent phishing, and it can be more convenient than copying over a constantly rotating code. However, this method requires you to purchase a physical piece of hardware that you insert or connect wirelessly to your phone or computer. This key verifies your identity when logging into your account.

How you use the key largely depends on the one you purchase, as some come with support for USB-C, USB-A, and Lightning, while others support NFC. Many security key brands, like those offered by Yubico, are compatible with Twitter, but it’s worth checking whether the key you’re eyeing supports the sites you need it for.

You can read about security keys in more detail, including how to enable them for Twitter, in this post here.

For this tutorial, we’ll show you how to enable an authenticator app on Twitter. Just make sure to create an account on the authenticator app of your choice before getting started. Here’s what you’ll need to do:

1. Open the platform’s desktop site, as you can’t use the Twitter app to set up an authentication app as a form of 2FA on the platform.
2. Hit the three dots icon in the sidebar on the left side of the screen, and choose Settings and Support > Settings and Privacy.
3. Click Security and account access > Security > Two-factor authentication.
4. Choose Authentication app, and enter your password if prompted.
5. Hit Get Started to pass through the first window, and you’ll see a QR code pop up on your screen.
6. Open the authenticator app on your phone, select the app’s QR code scanner, and scan the code on your screen. This will link your account to your authenticator app.
7. When you’re finished, turn back to Twitter. Hit Next, enter the code that your app generates, and select Confirm.
8. On the next screen, Twitter will provide you with a single-use backup code; make sure to hang onto it in case you lose access to your phone or authentication app.

That’s all there is to it! This will keep your account more secure than using SMS 2FA, and better yet: it’s completely free.