Twitter Allows Users to Use Two-Factor Authentication Without SMS

Twitter has announced that users can now use alternative methods for two-factor authentication (2FA) instead of being required to use SMS messages. These alternatives include authentication apps that generate one-time codes and hardware security keys.

Previously, to enable 2FA on Twitter, users were required to link a phone number to their account and activate SMS-based 2FA. Only after this step could they enable another 2FA method, but it was still impossible to disable SMS as a 2FA option, even if the user preferred a different method.

This requirement made Twitter accounts vulnerable to SIM swap attacks. In such attacks, a criminal contacts the victim’s mobile carrier and uses social engineering tactics—such as pretending to be the real owner of the number and claiming the SIM card was lost or damaged—to transfer the number to a new SIM card. The attacker can then steal accounts linked to that phone number, effectively taking over the victim’s digital identity. These attacks are often used to steal large amounts of cryptocurrency or compromise valuable social media accounts.

Over the past few years, many high-profile accounts have been hacked using this method. Despite this, Twitter had continued to require SMS-based 2FA. The company appears to have changed its stance after an incident nearly three months ago.

In late August 2019, Twitter CEO Jack Dorsey’s account was compromised. Although the issue was not directly related to bypassing 2FA, the investigation revealed that the attackers managed to hijack Dorsey’s SIM card, which allowed them to post tweets from his account. This incident highlighted the dangers of SIM swap attacks to the company.

As a result, Twitter users can now remove the phone number linked to their account and still use two-factor authentication—something that was previously impossible.