Social networks have struggled with spam, scams, impersonation, and account hijacking for years. And over the past week, two of them unveiled a new plan for dealing with it: passing the cost to users.
The first move came from Twitter, which made SMS-based two-factor authentication (2FA) a premium feature late last week. After March 20th, users will need to either switch to an app-based authentication system, pay $8 to $11 a month, or turn off the basic security feature. The decision is part of a larger attempt to push people onto subscription-based Twitter, and Musk also agreed with a tweet saying that it’s also an attempt to cut down on carriers charging Twitter for spam SMS messages.
Soon after, Meta announced its own security subscription service. The company announced plans for a paid verification service similar to Twitter Blue, designed to help “up-and-coming creators” grow their audiences. On top of a blue check and increased visibility, it includes “access to a real person” for account support, as well as “proactive account monitoring for impersonators who might target people with growing online audiences.”
From one perspective, both these moves are understandable. Twitter still allows free app-based two-factor authentication, which is typically a more secure option, and pushing more people toward it is a good thing. Meta’s new plan follows a common strategy for enterprise users: charging businesses an extra fee for expedited, full-featured support. The company is trying to solve a real customer service problem. It apparently started putting more resources into a customer support division last year, as users turned out to be appealing to black-market account restoration services when they got hacked.
Money is a widely accepted form of friction for the internet
In general, money is a widely accepted lever for applying friction to bad actors online. The web’s seamlessness and vast scale makes it easy to create huge numbers of accounts for nefarious purposes, while simultaneously making support for individual users difficult — it’s staggeringly hard to offer free non-automated customer service to almost 2 billion users. Some smaller online social spaces, like Metafilter and the WELL, have used subscriptions or one-time fees as a quality filter for years.
At the same time, there’s a real downside here.
Around three-quarters of the people using Twitter’s two-factor authentication relied on SMS services as of last year. (Only 2.6 percent of accounts used it at all.) Where companies like Google have gradually phased out text message-based 2FA, Twitter is now trying to simultaneously move people onto a more secure option and turn a profit from it, and it’s an awkward combination. The new change is happening on a rushed one-month timeline that seems almost designed to alarm people into paying for a less secure option, which Twitter pitches as a luxury service rather than the deprecated system it really is. The result may be a lot of people who simply turn off 2FA altogether, particularly when the warning message is framed around telling people to remove SMS authentication unless they pay up — not onboarding them to a different method.
Meanwhile, Meta’s plan combines things that make sense as premium upgrades with ones that a good social network should be doing by default. Flagging accounts that are at special risk for impersonation (a list that includes activists and public servants, not just aspiring commercial influencers) improves the service for everyone, because it tells the average user they can trust they’re actually following the people they think they are. Even if it’s impossible to offer billions of people that level of attention, large and rapidly growing accounts are a far smaller subset of the user base — one that the overall Facebook experience benefits from supporting without requiring a fee. The plan also means there’s less incentive to improve the dismal customer service experience for non-paying users who get locked out of their accounts.
A lot of Silicon Valley is currently trying to make people pay up for previously cheap or free options. But on social networks, there’s a balance between revenue from any individual user and the large-scale health of the ecosystem. Security has typically fallen at the latter end of that spectrum — it’s a foundational element of any digital service, a basic prerequisite for keeping logged-in eyeballs on the site. But as companies tighten their belts, there’s a powerful incentive to extract a monthly fee along the way.