Skip to main content

Twitter no longer needs phone numbers for two-factor authentication

Twitter’s two-factor authentication system has received a long-requested boost in security, as the feature will no longer require the phone number of users.

Twitter rolled out its two-factor authentication system years ago. The feature, upon activation, requires account owners to type in a code sent to their associated phone number every time they attempt to sign in. It aims to provide an extra layer of security beyond account passwords, which have been prime targets for hackers.

The two-factor authentication system that Twitter implemented, however, still had several flaws, as it remained vulnerable to phishing attacks and SIM hijacking.

It took a while, but Twitter has finally improved the security of its two-factor authentication system, as well as made it easier to activate, by dropping the requirement for users’ phone numbers.

We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number.

— Twitter Safety (@TwitterSafety) November 21, 2019

When users attempt to activate two-factor authentication, they will now be able to choose between three options for the second factor in addition to their account password. The options are a text message, authenticator app, and security key.

Security keys are physical devices that are arguably the best way to block hackers, as the would-be hackers would need to get their hands on the key before they are able to break into an account. Authenticator apps, however, are also a solid option. They may be downloaded through Apple’s App Store and the Google Play Store, then paired with the Twitter account to enable two-factor authentication.

For Twitter users who already have two-factor authentication set up, deleting their phone numbers will make the “Safeguard your account” prompt appear. Some users have been warned by the website or app that removing their phone numbers would deactivate the security feature. These messages should go away soon as the changes continue to roll out.

Beyond wanting an additional layer of security, there may be another reason users want to move away from using phone numbers for two-factor authentication. Twitter revealed last month that some of the phone numbers and email addresses submitted by users may have been inadvertently used for advertising purposes.

To enable or update a Twitter account’s two-factor authentication, users simply need to enter the Settings menu and access the Security section under Account. Selecting the Login Verification option will present the three options for the system. After choosing to use either a security key or an authenticator app, users may then delete their phone numbers by moving back up to the Account menu, tapping their phone number, and hitting delete.

Editors' Recommendations

Aaron Mamiit
Aaron received a NES and a copy of Super Mario Bros. for Christmas when he was 4 years old, and he has been fascinated with…
Your iPhone can now act as a physical Google security key
Google account security

A year after introducing it for Android phones, Google has today announced that iPhones can now function as physical two-factor security keys for logging into the company’s own services like Gmail in Chrome. This authentication method is a lot more secure than the two-factor prompt you’re likely used to, as it requires your iPhone to be physically in the computer’s proximity.

Two-factor authentication adds an extra layer of security to your accounts. However, SMS and internet-based two-factor processes have been in the past failed to prove as secure as one would hope for. Google’s solution for that takes advantage of your phone’s Bluetooth to turn it into a dedicated security key and ensures you’re physically authenticating the login.

Read more
A Twitter bug could use your phone number to expose personal information

Don’t upload your contacts to Twitter. If you do, or if you already have on your Android device, your phone number could be one of 17 million exposed on the app, a bug first reported by TechCrunch.

Security researcher Ibrahim Balic, who is based in London, told the site he was able to match records in seven different countries, including one of a senior Israeli politician and several other high-profile users. He did this when he discovered that when one uploads one’s contacts, the app would “fetch user data in return,” he told TechCrunch. It was then possible to match the phone numbers uploaded into the app with the Twitter records and figure out account usernames.

Read more
Facebook let advertisers target you using two-factor authentication numbers
The FTC logo on a building.

We finally have some details about the $5 billion settlement between the Federal Trade Commission (FTC) -- and exactly how Facebook might have violated your privacy.

The Washington Post reports that the yet-to-be-released complaint that will accompany the settlement focuses on two privacy violations. The first involves Facebook’s two-factor authentication security feature, which allows users to log in and verify their identity through a text message code sent to the phone number that they enter. Allegedly, advertisers used these phone numbers to target Facebook users without their consent. 

Read more