Twitter now supports two-factor authentication without a phone number

Twitter has announced that it now supports two-factor authentication without the need for a phone number.

@TwitterSafety tweeted the news yesterday, November 21.

Previously, Twitter users who wished to use two-factor authentication to secure their Twitter account were required to provide a phone number as a backup option. It's well known that this left users vulnerable to SIM-swapping attacks, famously, Twitter CEO Jack Dorsey had his own Twitter account hacked in August of this year.

The news will come as a big relief to anyone wary of having to attach their phone number to their Twitter account. Twitter also faced controversy earlier this year, after it was forced to admit that phone numbers provided for safety or security purposes including two-factor authentication were inadvertently used for advertising.

Now users are able to unlink their phone number within account settings, whilst retaining two-factor authentication.

However, there seems to be an interesting querk, in that security keys aren't supported outside of Twitter for web. One user was quick to point out that after adding Yubikey and removing his phone number, he recieved an email stating his two-factor authentication had been disabled, and that he must supply a phone number to reenable it. This means that outside of the web, users who wish to disable SMS also need to have a mobile security app, as one Twitter engineer pointed out:

Essentially, what the update means is that when using 2FA, you now have to choose two options from SMS, authentication app and security key. Obviously, if you want to unlink your phone number from your Twitter account, you'll need to pick authentication app and security key. All of the necessary settings are found in the 'Settings and Privacy' section on your Twitter account on the web. Head to Account>Security>Phone and select 'Delete phone number.'