Twitter just made a huge adjustment to its best security feature. And now, you won’t have to hand your phone number over to Jack to use it.
Multi-factor authentication is one of the best ways to prevent someone else from accessing and taking over your account. Where it’s available, you should always have it enabled. While Twitter has had two-factor authentication (2FA) for years, the company announced Thursday that users can now use its 2FA feature without linking their number to their account. Moreover, Twitter product lead Kayvon Beykpour tweeted that users who have their number linked to their account in addition to app-based authentication can remove their number and keep their 2FA enabled.
Twitter offers three ways to secure your account: with an SMS text message, through an authentication app like Authy or Google Authenticator, or with a physical security key. The important thing to know is that while any two-factor authentication is better than none, they don’t provide the same level of security.
SMS authentication texts can be intercepted through SIM hijacking by bad actors attempting to gain control of an account. While a physical key is perhaps the strongest way to protect against hacking, authenticator apps are also a solid option—the best and easiest way to secure your account without a physical key.
To access these tools, head to the Settings section of your Twitter profile. From the Account tab, you’ll see the Security subsection, then click the Login verification option, and scroll down to the Verification methods section. If you decide to enable 2FA using your phone number—again, this is not necessarily the best option but is far better than having zero two-factor authentication at all—you’ll need to verify your phone with a texted code.
A better bet is to head to the Apple App Store or Google Play Store and download a compatible authentication app (Google Authenticator, Authy, Duo Mobile, 1Password, and more all work), which you can use to pair with your Twitter account and any other account that allows for app-based 2FA. Once you have one, here’s what you’ll do:
- In your two-factor authentication settings, select Authentication app.
- You’ll see a message about using “a compatible authentication app to get an authentication code when you log in to Twitter.” Click Start.
- Enter your Twitter password, then click Verify.
- Twitter will display a QR code. Open your authentication app and scan the QR code to link your account. Click Next.
- Enter the authentication code shown in your app, and then click Verify.
- You should then see a note from Twitter that you’re “all set.” Click Got it.
And, as Beykpour noted, you’ll now be able to unpair your phone number if app authentication is enabled—be sure to do that as well after you’ve enabled app-based 2FA. (As Engadget pointed out, a Twitter software engineer said that a second method is still, at present, required for those using physical keys since they aren’t supported outside web.)
Gizmodo reached out to Twitter to find out whether the company stores mobile numbers that have been removed from accounts or whether that data is immediately deleted. The company didn’t immediately return a request for comment, but we’ll update this post when we hear back.
In short, always use 2FA, and enable app authentication where it’s available.