Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

Graham Cluley
Graham Cluley
@[email protected]

Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

Hundreds of millions of Twitter users now have an improved way to better safeguard their accounts from being compromised.

Twitter has provided app-based two-factor authentication (2FA) for a few years, but still required users to add their mobile phone number as a fallback.

Now, in a tweet, the company has announced that you can sign-up for 2FA without providing your phone number.

Sign up to our free newsletter.
Security news, advice, and tips.

Twitter’s 2FA feature adds an extra layer of security that means even if a bad guy manages to steal your password they shouldn’t be able to access your account. That’s because having a username and password isn’t enough to break into a Twitter account if two-factor authentication is enabled. Instead, if someone attempts to access your account from an unrecognised device, they will be prompted to enter a code generated by an authentication app that is (hopefully) in your possession.

Log in authentication app

Pleasingly, I was able to enter the settings for my Twitter account and delete its associated phone number. Logging out and then logging in again asked me for six-digit code from my authentication app, and I haven’t been asked to re-enter my mobile phone number. That’s good with me. :)

If you want to do something similar here is how you do it:

  • Enter account settings and choose Account.
  • Choose Phone and choose the option to delete your phone number.
  • If you are currently using SMS-based 2FA you will be warned that deleting your phone number will disable two-factor authentication. My advice is to set up app-based authentication to use in its place, as SMS-based authentication is vulnerable to SIM-jacking attacks.

Twitter does also offer 2FA via hardware keys such as the Yubikey. However, presently if you choose that option it still requires you to provide a mobile phone number as a backup method. According to one Twitter engineer, this is something they’re continuing to work on.

Yes Twitter should have eradicated the requirement for users to provide a phone number to enable app-based 2FA years ago, but it seems churlish to grumble too much now that they have finally done it.

Whether the compromise of Twitter CEO Jack Dorsey’s account two months ago resulted in the company finally taking a harder look at how it could generally improve users’ security is unclear.

You can read more about how to take advantage of Twitter two-factor authentication in this support article.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Twitter finally upgrades its 2FA security feature. Mobile number no longer required!”

  1. Jim

    So does that mean if someone tries to access my account Twitter would send me an email with the code?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.