What you need to know
- Twitter now supports two-factor authentication without a phone number.
- Previously, users were still required to add a phone number to their Twitter account as a failsafe.
- Security key users will still need a second method of authentication because security keys are not supported beyond Twitter's web version.
Twitter has announced that it now supports two-factor authentication without the need for a phone number.
@TwitterSafety tweeted the news yesterday, November 21.
We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number. https://t.co/AxVB4QWFA1We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number. https://t.co/AxVB4QWFA1— Twitter Safety (@TwitterSafety) November 21, 2019November 21, 2019
Previously, Twitter users who wished to use two-factor authentication to secure their Twitter account were required to provide a phone number as a backup option. It's well known that this left users vulnerable to SIM-swapping attacks, famously, Twitter CEO Jack Dorsey had his own Twitter account hacked in August of this year.
The news will come as a big relief to anyone wary of having to attach their phone number to their Twitter account. Twitter also faced controversy earlier this year, after it was forced to admit that phone numbers provided for safety or security purposes including two-factor authentication were inadvertently used for advertising.
Now users are able to unlink their phone number within account settings, whilst retaining two-factor authentication.
Another 🔑 update today: you can now use Two Factor Authentication without linking a phone number. If you already have your phone number linked along with App-based 2FA, you can unlink your 📞 it in the "Account" section of your settings while still keeping 2FA on. https://t.co/t63iRz2lIyAnother 🔑 update today: you can now use Two Factor Authentication without linking a phone number. If you already have your phone number linked along with App-based 2FA, you can unlink your 📞 it in the "Account" section of your settings while still keeping 2FA on. https://t.co/t63iRz2lIy— Kayvon Beykpour (@kayvz) November 21, 2019November 21, 2019
However, there seems to be an interesting querk, in that security keys aren't supported outside of Twitter for web. One user was quick to point out that after adding Yubikey and removing his phone number, he recieved an email stating his two-factor authentication had been disabled, and that he must supply a phone number to reenable it. This means that outside of the web, users who wish to disable SMS also need to have a mobile security app, as one Twitter engineer pointed out:
Hi! Currently we require you to have a second method along with security keys since the latter isn’t currently supported outside web. If you’d like to disable sms, you need to also have a mobile security app. We know this might not be ideal but we’re going to keep working on it!Hi! Currently we require you to have a second method along with security keys since the latter isn’t currently supported outside web. If you’d like to disable sms, you need to also have a mobile security app. We know this might not be ideal but we’re going to keep working on it!— Jared Miller (@jcmi) November 21, 2019November 21, 2019
Essentially, what the update means is that when using 2FA, you now have to choose two options from SMS, authentication app and security key. Obviously, if you want to unlink your phone number from your Twitter account, you'll need to pick authentication app and security key. All of the necessary settings are found in the 'Settings and Privacy' section on your Twitter account on the web. Head to Account>Security>Phone and select 'Delete phone number.'
