Twitter has finally made a change users have been waiting a long time to see. No, it’s not editable tweets, but as of today everyone can enable two-factor authentication on their account without linking a phone number.
While SMS-based two-factor can be a fallback for people who lose access to code-generating devices or don’t have security keys, it’s very vulnerable to SIM-swapping attacks. Twitter added code generator support a while ago, but still asked users to add a phone number if they wanted the extra verification and you couldn’t remove the fallback. That’s upsetting for those concerned about their privacy, they may not want to link a phone number to their account at all, and Twitter has already admitted that it used phone-numbers to target ads even for users who declined that.
Attackers used SIM-swapping to send tweets from Twitter CEO Jack Dorsey’s account earlier this year, and while the exploit didn’t use two-factor codes, it showed how vulnerable the SMS-based system can be. If you already have a phone number linked in your profile, then you can go ahead and remove it now. However, a security engineer noted that you can’t remove the number and rely simply on a security key for access since that’s only supported on the website.
Another 🔑 update today: you can now use Two Factor Authentication without linking a phone number. If you already have your phone number linked along with App-based 2FA, you can unlink your 📞 it in the “Account” section of your settings while still keeping 2FA on. https://t.co/t63iRz2lIy
— Kayvon Beykpour (@kayvz) November 21, 2019