Twitter lets users disable SMS 2FA and use only security keys
Image: Twitter
Catalin Cimpanu June 30, 2021

Twitter lets users disable SMS 2FA and use only security keys

Twitter lets users disable SMS 2FA and use only security keys

Twitter has updated its platform today to allow users to use security keys as their only form of two-factor authentication (2FA).

The move means users can finally disable SMS-based 2FA for their Twitter accounts and use a more robust alternative such as an authenticator app or a security key as their only 2FA method.

“We know this is important to people because not everyone is able to have a backup 2FA method or wants to share their phone number with us,” Twitter said today.

The new security settings are available to all users starting today for all Twitter platforms, such as Android, iOS, and the web interface.

Twitter’s announcement might not be news for some users.

Since November 2019, Twitter has been allowing new users to enroll in its 2FA program without a phone number and start using a security key or authenticator app directly.

At the time, some users figured that by leaving Twitter’s 2FA program and then enrolling back again, they could skip on using SMS as a 2FA mechanism.

Starting today, this process has become much easier and direct, and available for all Twitter platforms, including its mobile apps, where using security keys was notoriously difficult.

Twitter’s today update also comes as the social networks’ engineers have worked hard in recent years to add security keys support to the platform.

  • 2018 – initial security key support added to web interface
  • 2019 – security key support updated to WebAuthn standard
  • 2020 – security key support added for iOS and Android apps
  • 2021 – added support for using multiple security keys per account

A big part in Twitter’s decision to move away from SMS-based 2FA were a series of hacks of high-profile and verified Twitter accounts where threat actors have been using a technique called SIM swapping to bypass SMS 2FA by temporarily hijacking a victim’s phone number to receive the SMS 2FA codes. The account of Twitter CEO Jack Dorsey was hacked this way.

Users who want to disable SMS 2FA and use only security keys can now go to:

https://twitter.com/settings/account/login_verification

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.