X’s move to make people pay for a basic form of two-factor is problematic. It also created confusion because the company prompted free users to switch away from SMS two-factor, but then seemingly simply turned off the protection altogether for those who didn’t. This likely left a group of users in a situation where they think they have two-factor authentication on, but actually don’t.
I have a great solution for this problem: Stay away from Elon’s Nazi shithole, also known as X
For all other accounts, use 2FA via TOTP or U2F