Twitter has made changes to its security settings by enabling two-factor authentication (2FA) on accounts without linking your phone number. Previously, it sends 6-digit 2FA codes via SMS, but now it allows the users to use security keys or authentication apps for the same.
The 2FA method is better than the SMS based authentication as SMS is very vulnerable to SIM swapping attacks. Thus, SMS is not the right solution for sending users secondary login codes. Moreover, twitter used the linked phone numbers to target ads which the company had admitted.
However, with 2FA support, it doesn’t want its users to rely entirely on it. In response to a user’s query, a twitter engineer tweeted that security keys are not currently supported outside the web, so if you disable the SMS verification method, you should have an alternate mobile security app.
Earlier this year, Twitter CEO Jack Dorsey’s account was exploited by this sim-swapping to send tweets but didn’t use the 2FA. If your phone number is linked to your account, you can remove it now. To delete your number, go to the app settings and click on the Account menu. Then select delete by tapping on your phone number. The user’s who are using SMS as a 2FA method will be notified that removing the number will turn it off, so it is recommended to set up an alternative 2FA such as Google Authenticator.