Humans seem to be terrible at creating and using strong passwords, let alone remembering them. Various technologies have popped up to alleviate those flaws, like password managers and two-factor authentication. The latter has been particularly popular especially with the rise of fingerprint and face recognition. Many, however, still use SMS as the second factor, which is just a half-step above having no 2FA. Fortunately, Twitter has finally seen the light and will allow users to opt for a more secure option.
In the early days of two-factor authentication or 2FA, there were really only two common 2FA methods accessible to almost everyone: email and SMS. Most chose to send codes via SMS because emails are hacked more often and people are more likely to carry their phones with them. SMS, however, has proven to also be insecure and prone to other forms of attack, leading companies to develop better methods like authenticator apps and fingerprint and face scanners.
Twitter, sadly, was set on its old ways until today. It required your phone number to even enable 2FA in the first place. What makes matters worse was that you couldn’t even disable that SMS link or remove your phone number even if you opted to use an authentication app or a hardware key. You might think that’s fine but many don’t, including Twitter CEO Jack Dorsey.
Dorsey’s Twitter account was hacked last August using the very same SMS vulnerabilities and hacking methods security experts have warned about. Given the timing, it’s not hard to associate that incident with today’s 2FA announcement. Regardless, it’s good news for more than just Dorsey.
Starting today, you can finally remove your phone number from Twitter’s 2FA system and new users won’t be required to give theirs to enable it. Not only will this allow users to opt for more secure 2FA methods, it also protects their phone numbers from getting stolen, in case Twitter gets hacked, or gets abused for spam the way Facebook did.