Two-factor authentication is good! SMS-based two-factor authentication? Not the best option. After countless tales of people having their phone numbers and inbound SMS hijacked by way of SIM swapping, it’s clear that SMS just isn’t the right solution for sending people secondary login codes.
And yet, for many years, it’s been the mandatory go-to on Twitter. You could switch to another option later (like Google Authenticator, or a physical Yubikey) — but to turn it on in the first place, you were locked into giving Twitter a phone number and using SMS.
Twitter is getting around to fixing this, at long last. The Twitter Safety team announced that you’ll be able to enable two-factor authentication without the need for a phone number, starting sometime today.
This news comes just a few months after Jack Dorsey’s own Twitter account was hacked (seemingly by way of a SIM swap) and a few weeks after Twitter had to admit it was using phone numbers provided during the two-factor setup process for serving targeted ads.
Some users are reporting that the setup process still requests a phone number, so it seems like this change is being rolled out rather than launching for everyone immediately.