Twitter has supported two-factor authentication (2FA) for a while, but the service always required you to include a phone number as an auxiliary form of identification. Twitter has now changed its 2FA system to remove that dependency. Here’s how that works.
If you use Twitter, you should be using two-factor authentication (2FA). 2FA requires you to enter a password and use a secondary means of proving your identity: something you know – your password, with something you have, like a phone, security key, or authentication app.
Up until fairly recently, most systems, Twitter included, made that a phone number. The problem is that techniques like SIM swapping are on the rise, making it possible for bad actors to hijack phone numbers as a means of spoofing identity. In fact, this very thing happened to Twitter CEO Jack Dorsey a few months ago, which may explain the company’s decision to roll out this change for all users.
That makes sending a text to your phone less secure than it used to be. So Twitter’s engineers have removed the requirement for you to add a phone number to your Twitter account as a secondary means of identification.
Now you can use a mobile security authentication app instead. Google Authenticator, Authy, LastPass and others offer this functionality. These apps generate one-time passwords that stay in lock-step with a server using an algorithm.
Be advised that if you’re using a physical security key like the Yubikey, unfortunately you’ll still need to fall back on a mobile security authentication app, at least for now, according to Twitter security engineer Jared Miller. He explained in Tweet that physical security keys are not supported outside of Twitter’s Web interface, and acknowledged it’s an imperfect solution: “We know this might not be ideal but we’re going to keep working on it!”
Set up two-factor authentication on Twitter
1) Open Twitter in your Web browser.
2) Tap your account info in the upper left.
3) Tap Settings and Privacy.
4) Tap Account.
5) Tap Security.
6) Tap Two-factor authentication. Select the methods of two-factor authentication you’d prefer to use. Your choices are text message, authentication app and security key. Deactivate text message if you wish to remove your phone number from Twitter’s preferences.
Remove your phone number from Twitter preferences
From the account info screen:
1) Tap Settings and privacy.
2) Tap Account
3) Under Login and security, tap Phone.
4) Tap Delete phone number.
5) Tap Yes, delete to confirm.
Wrapping it up
Removing 2FA from a dependency on a phone number provides Twitter users with an additional element of security that will make it harder for bad actors to take over Twitter accounts using nefarious means like SIM swapping. This may not be something that everyone needs to worry about, but at least now Twitter is making the option available to those who need or want it.
Have you enabled this new security measure on your Twitter account? Do you think it’s necessary? Sound off in the comments – we want to hear from you.