Twitter is adding the ability to choose other methods for two-factor authentication besides receiving a text message (SMS). The alternate methods include using a one time key via an authentication app or a hardware security key.
Previously, users had to input their phone number to enable text based 2FA.
Their are several problems with SMS only 2FA. One minor problem is if you’re in an area with poor cell service it will be difficult to get the code in time to use it. Beyond that, there is a security vulnerability via “SIM swaps”. Malicious actors who knew your password could swap SIMs temporarily to hijack the victimes phone number, bypass the two-factor security check and gain access to the account.
If you’ve been on Twitter for any length of time you know major accounts get hacked on a regular basis. In fact the CEO of Twitter, Jack Dorsey, was recently hacked using a SIM swap.
The additional options go live today and users will be able to remove their previously used phone # in their 2FA settings.