Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

Hundreds of millions of Twitter users now have an improved way to better safeguard their accounts from being compromised.

Twitter has provided app-based two-factor authentication (2FA) for a few years, but still required users to add their mobile phone number as a fallback.

Now, in a tweet, the company has announced that you can sign-up for 2FA without providing your phone number.

Email Sign up to our newsletterSign up to SLG’s newsletter – “GCHQ”
Security news, advice, and tips.

Twitter’s 2FA feature adds an extra layer of security that means even if a bad guy manages to steal your password they shouldn’t be able to access your account. That’s because having a username and password isn’t enough to break into a Twitter account if two-factor authentication is enabled. Instead, if someone attempts to access your account from an unrecognised device, they will be prompted to enter a code generated by an authentication app that is (hopefully) in your possession.

Log in authentication app

Pleasingly, I was able to enter the settings for my Twitter account and delete its associated phone number. Logging out and then logging in again asked me for six-digit code from my authentication app, and I haven’t been asked to re-enter my mobile phone number. That’s good with me. 🙂

If you want to do something similar here is how you do it:

  • Enter account settings and choose Account.
  • Choose Phone and choose the option to delete your phone number.
  • If you are currently using SMS-based 2FA you will be warned that deleting your phone number will disable two-factor authentication. My advice is to set up app-based authentication to use in its place, as SMS-based authentication is vulnerable to SIM-jacking attacks.

Twitter does also offer 2FA via hardware keys such as the Yubikey. However, presently if you choose that option it still requires you to provide a mobile phone number as a backup method. According to one Twitter engineer, this is something they’re continuing to work on.

Yes Twitter should have eradicated the requirement for users to provide a phone number to enable app-based 2FA years ago, but it seems churlish to grumble too much now that they have finally done it.

Whether the compromise of Twitter CEO Jack Dorsey’s account two months ago resulted in the company finally taking a harder look at how it could generally improve users’ security is unclear.

You can read more about how to take advantage of Twitter two-factor authentication in this support article.

Found this article interesting? Follow SLG on Twitter to read more of the exclusive content we post.

Leave a Reply

Your email address will not be published. Required fields are marked *