Twitter has recently announced a major update in their system that may bring a sigh of relief for some users. Reportedly, Twitter removed its limitation for SMS-based 2FA method and provided alternate options.
Twitter Relieves SMS-Based 2FA Limitation
Twitter has recently announced a change with its user verification methods. As disclosed in a recent tweet, Twitter now relieves users of the outdated SMS-based 2FA limitation. They can now enable two-factor authentication even without a phone number.
We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number. https://t.co/AxVB4QWFA1
— Twitter Safety (@TwitterSafety) November 21, 2019
Previously, in fact, right before this announcement, SMS-based verification was the only method supported by Twitter for two-factor authentication. And, to use this method, users should have to register their mobile phone numbers with Twitter.
This strategy posed a threat to the security and integrity of Twitter accounts owing to the risks associated with phone numbers, such as SIM swapping.
This is the same method that triggered the hacking of Jack Dorsey’s Twitter account via SIM swapping a few months ago. Moreover, this method has also caused numerous other high-profile account hacks as well.
Though, the users could enable the use of a security key for authentication. They still needed to have SMS-based 2FA enabled. Hence, the security risks still posed threat to the accounts.
However, after Jack-Dorsey’s account hacking incident, it seems Twitter took the matter seriously to come up with an alternative.
Twitter have also confessed in the previous month about the ‘inadvertent’ use of users’ 2FA numbers for ad targeting. Perhaps, this might be another reason contributing to the new decision.
Some Bugs Still Need Attention
While the new 2FA policy has been announced, some users are still facing trouble in fully availing this functionality. As highlighted by a user in response to Twitter’s announcement, the account still requires phone number registration.
It. Does. Not. Work.
Added Yubikey, removed phone number. Got an email that I just disabled 2FA and I must supply a phone number to reenable it.
— Péter Szilágyi (@peter_szilagyi) November 21, 2019
Though, a software engineer at Twitter, Jared Miller, swiftly elaborated on the matter.
Hi! Currently we require you to have a second method along with security keys since the latter isn’t currently supported outside web. If you’d like to disable sms, you need to also have a mobile security app. We know this might not be ideal but we’re going to keep working on it!
— Jared Miller (@jcmi) November 21, 2019
So, for now, the new feature is in the testing phase. Therefore, the users eager to get rid of this phone number restriction shall have to wait for a few days before the feature becomes fully functional.
Let us know your thoughts in the comments.