Twitter will no longer require users’ phone numbers to enable two factor authentication (2FA) on their accounts, Twitter Safety tweeted. While it hasn’t completely done away with mobile number 2FA, it is no longer mandatory to give the platform your phone number. Users can now enable 2FA using an authentication app, or a physical security key, without necessarily having to provide Twitter with their phone number.
What’s new? The first option is to use an authenticator app which generates a random string of six-digit OTP. Some such apps are Google Authenticator, Authy and YubiKey. If you select this option, you will have to link your Twitter account with a compatible authentication app. We tested this by using Google Authenticator and Authy, and it worked well. However, Authy required us to put in our mobile number to create an account.
The other option is to use a physical security key, and while this might be the most secure 2FA method, there is one caveat. Security keys currently, aren’t supported outside of Twitter on the web, so if a user is accessing Twitter via a mobile app, it will still ask him/her to have another 2FA method enabled as a backup, explained a Twitter engineer, after some users complained that they still had to provide their mobile number if they wanted to enable 2FA using a security key.
Users can choose to delete their mobile number if they had earlier given it to Twitter. However, if a user had enabled 2FA using her/his phone number, Twitter will notify them that deletion of the number will automatically turn off 2FA.
Why this matters: While two-factor authentication is undeniably a better way of securing your accounts, Twitter’s announcement comes as a belated acknowledgment that mobile number-based 2FA isn’t perhaps the best way. CEO Jack Dorsey’s account was hacked in August this year because the phone number associated with his account was compromised. Following that, Twitter had disabled the option to tweet via SMS, saying that carriers need to address “vulnerabilities” in their system, and it needs to rework its reliance on linked phone numbers for two-factor authentication.
- In an undated blog post, the company had revealed that phone numbers provided to the service for security purposes such as 2FA might have been used to run targeted advertisements.
- SMS-based 2FA can prove to be a risky proposition, after a series of SIM swapping attacks have showed that SMS messages can be hijacked to target users’ accounts.