Twitter says it will allow users to remove their phone numbers from the secure login process, a move that has triggered praise from the security community.
According to a new report from ZDNet, users can now use a one-time code, an app or a physical security key to as a second factor of authentication into their account. It’s now possible to enable 2FA on Twitter using a mobile security app, such as Authy or Google Authenticator, without supplying Twitter with a phone number
Previously, Twitter users who wished to use two-factor authentication to secure their Twitter account were required to provide a phone number as a backup option. It’s well known that this left users vulnerable to SIM-swapping attacks, famously, Twitter CEO Jack Dorsey had his own Twitter account hacked in August of this year.
We’re also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number. https://t.co/AxVB4QWFA1
— Twitter Safety (@TwitterSafety) November 21, 2019
Although adding a layer of SMS-based verification to your logins is better than relying on a password alone, it’s no longer the best way to do it. Viewed in that light, Twitter’s decision to unlink the phone number from 2FA is a belated acknowledgement of the vulnerabilities associated with the SMS-based system.
The news will come as a big relief to anyone wary of having to attach their phone number to their Twitter account. Twitter also faced controversy earlier this year, after it was forced to admit that phone numbers provided for safety or security purposes including two-factor authentication were inadvertently used for advertising.