Hundreds of millions of Twitter users now have an improved way to better safeguard their accounts from being compromised.
Twitter has provided app-based two-factor authentication (2FA) for a few years, but still required users to add their mobile phone number as a fallback.
Now, in a tweet, the company has announced that you can sign-up for 2FA without providing your phone number.
We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number. https://t.co/AxVB4QWFA1
— Twitter Safety (@TwitterSafety) November 21, 2019
Twitter’s 2FA feature adds an extra layer of security that means even if a bad guy manages to steal your password they shouldn’t be able to access your account. That’s because having a username and password isn’t enough to break into a Twitter account if two-factor authentication is enabled. Instead, if someone attempts to access your account from an unrecognised device, they will be prompted to enter a code generated by an authentication app that is (hopefully) in your possession.
Pleasingly, I was able to enter the settings for my Twitter account and delete its associated phone number. Logging out and then logging in again asked me for six-digit code from my authentication app, and I haven’t been asked to re-enter my mobile phone number. That’s good with me. :)
If you want to do something similar here is how you do it:
- Enter account settings and choose Account.
- Choose Phone and choose the option to delete your phone number.
- If you are currently using SMS-based 2FA you will be warned that deleting your phone number will disable two-factor authentication. My advice is to set up app-based authentication to use in its place, as SMS-based authentication is vulnerable to SIM-jacking attacks.
Twitter does also offer 2FA via hardware keys such as the Yubikey. However, presently if you choose that option it still requires you to provide a mobile phone number as a backup method. According to one Twitter engineer, this is something they’re continuing to work on.
Hi! Currently we require you to have a second method along with security keys since the latter isn’t currently supported outside web. If you’d like to disable sms, you need to also have a mobile security app. We know this might not be ideal but we’re going to keep working on it!
— Jared Miller (@jcmi) November 21, 2019
Yes Twitter should have eradicated the requirement for users to provide a phone number to enable app-based 2FA years ago, but it seems churlish to grumble too much now that they have finally done it.
Whether the compromise of Twitter CEO Jack Dorsey’s account two months ago resulted in the company finally taking a harder look at how it could generally improve users’ security is unclear.
You can read more about how to take advantage of Twitter two-factor authentication in this support article.