Twitter's 2-Factor Authentication No Longer Requires Your Phone Number
In an effort to give people a less stressful experience, Twitter is making changes to its login system. The microblogging platform's security team announced in a tweet yesterday that from now on, users will have slightly different two-factor authentication (2FA) options. Here's the tweet in question:
We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number. https://t.co/AxVB4QWFA1
— Twitter Safety (@TwitterSafety) November 21, 2019
Many of you would say that a major piece of news can't be announced in less than 280 characters. Some might argue that even if it can be, this particular tweet isn't very exciting. When you dig deeper, however, you'll see that the announcement is significant.
Twitter's 2FA system can now work without your phone number
Twitter's 2FA system incorporates three options for the second factor: you can have a one-time password (OTP) delivered to you via an SMS; you can use a mobile authenticator application; or you can use a hardware token.
Up until now, however, Twitter required you to have your phone number connected to your account in order to enable two-factor authentication, regardless of whether or not you wanted to use text messages. This was not a design flaw, and neither was it a scheme to collect millions of phone numbers and sell them on to the lowest bidder. It was actually a safety feature.
Your phone number acted as a fail-safe in case you lost your token or couldn't access the mobile authenticator application. It was there to ensure that whatever happens, you will still be able to access your account without too much hassle. Now, you are no longer required to provide it, and those of you who have already added it can delete it without disabling 2FA. What is the reasoning behind this?
Twitter knows how badly wrong things can go if your phone number is compromised
Twitter is not removing the inherently flawed SMS-based 2FA. You can still link your phone number to your account and receive your Twitter one-time code in a text message. What the social network is doing instead is allowing users who don't want to share their phone number use two-factor authentication. And some people, including none other than Twitter's own CEO, have a good reason for being reluctant to share their phone numbers.
Back in September, Jack Dorsey had his Twitter account hijacked. The criminals didn't guess his password, though, and they didn't infiltrate Twitter's systems. Instead, they mounted what is known as a SIM swapping attack.
In essence, they hijacked Dorsey's phone number and used Twitter's old tweet-via-SMS service to spread offensive content around. Although the option of tweeting via text messages was disabled almost immediately, the attack alerted everyone at Twitter about the dangers of hijacked phone numbers, and now, people are given the option of protecting themselves.
To be fair, regular users who don't have the influence and follower count of people like Jack Dorsey are not that likely to fall victim to a SIM swapping attack. Still, there are other risks associated with having their contact details exposed, which means that if you have already added your phone number to your account, you might want to consider deleting it. You can do that by going to Settings and privacy > Account > Phone > Delete phone number.
Whatever you do, make sure that 2FA is turned on. To do that, go to Settings and privacy > Account > Security > Two-factor authentication.