Two-factor authentication (2FA) insures that people signing in into an online service are who they say they are.
2FA is the most effective means to safeguard accounts from phishing and credential-stuffing attacks, where passwords stolen from previous data breaches are used on other sites. While the method is proven to be secured, the way of retrieving the second authentication may not, especially when users use SMS.
And this is why Twitter starts enrolling its 2FA program without requiring a phone number. What’s more, it’s also providing an option to disable SMS-based 2FA.
The decoupling of the system comes in the wake of revelations that Twitter “accidentally” targeted ads at some users by way of their email addresses and phone numbers, which they provided only for account security purposes.
The decoupling is to prevent similar things to happen again.
We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number. https://t.co/AxVB4QWFA1
— Twitter Safety (@TwitterSafety) November 21, 2019
Signing in using 2FA can be done in a lot of ways.
For example, users can use authentication apps, biometrics, SMS, or hardware security keys. But in this case, SMS is the least secured and the most risky proposition.
With a rising wave of SIM swapping attacks, hackers have found a way to breach accounts protected by 2FA, by intercepting the very SMS messages meant to keep users account safe.
On Twitter, the 2FA method was egregious because it mandated users to provide phone numbers even if they were using an authenticator app or physical keys for 2FA. This effectively defeated the purpose of avoiding SMS-based authentication.
One of the most prominent case, was when founder and CEO of Twitter, Jack Dorsey, had his account hacked.
So here, Twitter is decoupling its 2FA program to make signing in a lot safer.
For users who want t to do this, they should first activate 2FA for their Twitter accounts, and then download an authenticator app. This app will generate randomized one-time passwords to authenticate their identities when signing in.
Another alternative is to use Yubico’s YubiKey.
Although adding a layer of SMS-based verification to sign ins is better than relying on a password alone, it’s no longer the best way to do it.
With Twitter finally decided to decouple users' phone number from 2FA is its acknowledgement of the SMS vulnerabilities.