Twitter will allow users to enable two-factor authentication (2FA) without providing a SMS number, the company announced. Although the SMS option remains available, users can now also use internet browsers and authenticators. The change comes in response to user requests dating back at least a year. In addition, the recent high-profile, successful SIM-swap attack on Twitter CEO Jack Dorsey — which occurred despite the enabling of SMS-based 2fa — most likely contributed to the decision to make a change.
“Although Twitter has supported security key-based 2FA for almost a year now, the prevailing standard (FIDO U2F) supported only a limited number of browsers and authenticators, restricting the potential for widespread adoption,” the statement said. “As of today, we are replacing this with the FIDO2 WebAuthn protocol which allows support for more browsers and authenticators while also retaining all of the phishing resistant capabilities security key-based 2FA provides.”
Currently, Twitter only supports the WebAuthn web authentication standard’s physical security key. WebAuthn is approved by the World Wide Web Consortium (W3C) and works in most major web browsers including Chrome, Edge, and Firefox. It is a commonly used security measure by many in the tech industry. However, the company does plan to add additional options in the future, so users will have more choices about how to secure their account.
“WebAuthn is enabled by default and follows the same process as before when registering your security key,” the statement said. “As of today, Twitter only supports physical security key authenticators with WebAuthn, while we expect to add support for other options in the future.”
Twitter’s decision comes amidst heightened fears about the vulnerability of user data. Account takeover attacks are on the rise, with hackers using successful attacks on social media platforms — aided by poor user password hygiene — to hack into users’ other accounts across the web.