As part of this change, Twitter will too turn off 2FA for your account in full if you don’t switch from SMS verification or pay for Blue by that deadline, leaving your account vulnerable to hacking. Fortunately, you can still enable 2FA for free with an authenticator app, such as Google Authenticator or Authy. You can also use a security key, but this requires you to purchase an actual piece of hardware.
Twitter makes SMS 2FA a paid feature because it is the least secure form of authentication. This may seem counterintuitive, but at least it should keep non-subscribers away from the method, as users are known to be susceptible to an attack known as SIM swapping.
This can happen when a malicious attacker uses social engineering or other tactics to convince your mobile carrier to reassign your phone number to their device. They can then intercept the text messages you receive, including those SMS 2FA codes, potentially allowing them to access your accounts.
