Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

Graham Cluley

Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

Hundreds of millions of Twitter users now have an improved way to better safeguard their accounts from being compromised.

Twitter has provided app-based two-factor authentication (2FA) for a few years, but still required users to add their mobile phone number as a fallback.

Now, in a tweet, the company has announced that you can sign-up for 2FA without providing your phone number.

Twitter’s 2FA feature adds an extra layer of security that means even if a bad guy manages to steal your password they shouldn’t be able to access your account. That’s because having a username and password isn’t enough to break into a Twitter account if two-factor authentication is enabled. Instead, if someone attempts to access your account from an unrecognised device, they will be prompted to enter a code generated by an authentication app that is (hopefully) in your possession.

Log in authentication app

Pleasingly, I was able to enter the settings for my Twitter account and delete its associated phone number. Logging out and then logging in again asked me for six-digit code from my authentication app, and I haven’t been asked to re-enter my mobile phone number. That’s good with me. :)

If you want to do something similar here is how you do it:

  • Enter account settings and choose Account.
  • Choose Phone and choose the option to delete your phone number.
  • If you are currently using SMS-based 2FA you will be warned that deleting your phone number will disable two-factor authentication. My advice is to set up app-based authentication to use in its place, as SMS-based authentication is vulnerable to SIM-jacking attacks.

Twitter does also offer 2FA via hardware keys such as the Yubikey. However, presently if you choose that option it still requires you to provide a mobile phone number as a backup method. According to one Twitter engineer, this is something they’re continuing to work on.

Yes Twitter should have eradicated the requirement for users to provide a phone number to enable app-based 2FA years ago, but it seems churlish to grumble too much now that they have finally done it.

Whether the compromise of Twitter CEO Jack Dorsey’s account two months ago resulted in the company finally taking a harder look at how it could generally improve users’ security is unclear.

You can read more about how to take advantage of Twitter two-factor authentication in this support article.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Twitter finally upgrades its 2FA security feature. Mobile number no longer required!”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.