Twitter Now Lets You to Enable 2FA without Adding Phone Number

Twitter has announced a new feature that would allow its users to change the default 2FA (two-factor authentication) method. Until now Twitter users had to set SMS as 2FA with no way to change the default method. Starting now Twitter will let you authenticate by using mobile one-time code or even a hardware key.

This also means that you don’t need to register a phone number for enabling 2FA for Twitter. Earlier if you wanted to use a mobile authenticator then you have to activate SMS 2FA first. The worst part is that Twitter didn’t offer an option to disable the same. Furthermore, SMS based 2FA made Twitter accounts vulnerable to SIM swaps. In this case, a hacker that knows users password will bypass SMS-based 2FA by hijacking a user’s phone number.

This change provides an up-to-date and secure authentication standard for security key 2FA, with support for more browsers and authenticators coming in the future. WebAuthn is enabled by default and follows the same process as before when registering your security key. As of today, Twitter only supports physical security key authenticators with WebAuthn, while we expect to add support for other options in the future

SIM Swaps is more common then we think and this method has been used to hack Twitter account. The company seems to have completely ignored the issue until now. Things took a different turn after Twitter CEO Jack Dorsey’s account was hacked with SIM swap. The hackers refrained from bypassing SMS-based 2FA, however, the attack seems to have impacted Twitter and thus the more secure 2FA method.

In other words, Twitter users can also choose to delete the phone number associated with their account. By doing this the possibility of a SIM swap account will be completely eliminated. Apparently, Twitter has been testing the feature for more than a week and announced it today.

[via Twitter]