Now Twitter users can enable two-factor without linking a phone number

Extra security without reduced privacy.

Sponsored Links


Twitter has finally made a change users have been waiting a long time to see. No, it's not editable tweets, but as of today everyone can enable two-factor authentication on their account without linking a phone number.

While SMS-based two-factor can be a fallback for people who lose access to code-generating devices or don't have security keys, it's very vulnerable to SIM-swapping attacks. Twitter added code generator support a while ago, but still asked users to add a phone number if they wanted the extra verification and you couldn't remove the fallback. That's upsetting for those concerned about their privacy, they may not want to link a phone number to their account at all, and Twitter has already admitted that it used phone-numbers to target ads even for users who declined that.

Attackers used SIM-swapping to send tweets from Twitter CEO Jack Dorsey's account earlier this year, and while the exploit didn't use two-factor codes, it showed how vulnerable the SMS-based system can be. If you already have a phone number linked in your profile, then you can go ahead and remove it now. However, a security engineer noted that you can't remove the number and rely simply on a security key for access since that's only supported on the website.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget