Handling SMS 2FA on Twitter is an excellent exercise for a product manager interview. If they suggest what Elon did - don't hire them.
Why?
First, to get it out of the way, app-based 2FA is superior in many ways. But we also need to recognize that some 2FA is better than nothing.
I would provide two scenarios: first, you're about to get bankrupt, and second, you want to do it the right way.
1️⃣ In the first scenario, an acceptable answer would be to disable SMS 2FA altogether, clearly communicate why it's happening, and provide an easy migration way.
An instruction at least (with links and explanation), or an in-app wizard, ideally if you have any runaway left.
🚫 What Elon did:
- Don't communicate the risk of 2FA
- Push users to upgrade to Blue to keep SMS 2FA, which neither help with telco scam nor makes their accounts secure.
- % or remaining will disable 2FA.
2️⃣ In the second scenario, I would prefer to have it this way:
- Disable SMS 2FA for new accounts.
- Bug users on SMS 2FA with a popup that push them to migrate to app-based 2FA.
- After a while, lock the remaining users until they enable app-based 2FA.