Technical / Twitter 2-factor authentication doesn't require a number anymore

Starting today, Twitter users will be able to secure their accounts via two-factor authentication (2FA) without linking phone numbers. For 2FA, users will have to choose from three methods, namely text message, authentication app, or security key. Kayvon Beykpour, Product Lead at Twitter, tweeted that users who already have their numbers linked can unlink it while still keeping 2FA on.

Engadget : Nov 22, 2019, 06:10 PM

Twitter has finally made a change users have been waiting a long time to see. No, it's not editable tweets, but as of today everyone can enable two-factor authentication on their account without linking a phone number.

While SMS-based two-factor can be a fallback for people who lose access to code-generating devices or don't have security keys, it's very vulnerable to SIM-swapping attacks. Twitter added code generator support a while ago, but still asked users to add a phone number if they wanted the extra verification and you couldn't remove the fallback. That's upsetting for those concerned about their privacy, they may not want to link a phone number to their account at all, and Twitter has already admitted that it used phone-numbers to target ads even for users who declined that.

Attackers used SIM-swapping to send tweets from Twitter CEO Jack Dorsey's account earlier this year, and while the exploit didn't use two-factor codes, it showed how vulnerable the SMS-based system can be. If you already have a phone number linked in your profile, then you can go ahead and remove it now. However, a security engineer noted that you can't remove the number and rely simply on a security key for access since that's only supported on the website.