Twitter is fixing its two-factor authentication options today to make the authentication process more secure. Until today, users who wanted to use authentication apps could be forced to revert back to receiving a text message code—but now, Twitter is letting users turn off these texted, less secure codes.
Two-factor authentication helps users prevent their accounts from being hijacked in case their passwords are stolen. Twitter and other sites that offer two-factor authentication will verify a user by requiring both the user’s password and an authentication code. Codes can be sent via text message or generated with an authentication app (some sites also offer two-factor authentication with a U2F dongle, but Twitter doesn’t currently have that option).
However, texted codes can be stolen—and hackers have used this tactic in the past to break into high-profile Twitter accounts. The activist DeRay McKesson had his account hacked last year when someone called Verizon and posed as McKesson, convincing the customer service representative to transfer his number to a new SIM. Then, Twitter’s two-factor messages were sent to the new SIM, allowing the hacker or hackers to get into McKesson’s Twitter account.
Now, Twitter is finally allowing users to get authorization codes from a third-party authentication app—and only an authentication app.
Users who want to lock down their accounts can turn off the option to receive texted codes by going to the “settings and privacy” tab in their profile. “The Text message option will be on by default. Click Edit to no longer receive codes via text message. If the Security app selection is currently disabled, you’ll be prompted to enable it,” Twitter explains in a blog post.
A quick warning, though—some users reported that turning off texted codes turned off their two-factor authentication altogether and they had to set it up a second time. I wasn’t able to replicate the issue, but if you’re switching to an authentication app, just double-check to make sure two-factor is still enabled after you make any changes. You’ll also want to download your backup codes and store them in a safe place, in case you ever lose access to your authentication app.