Twitter says it will allow users to remove their phone numbers from the secure login process, a move that has triggered widespread praise from the security community.
Users can now use a one-time code, an app or a physical security key to as a second factor of authentication into their account. Before Thursday, Twitter customers trying to login in a secure way only could enter their username and password, then ask the site to send them an SMS message to verify their identity. The company also forced users who did use a third-party authentication app to use their phone number to sign up.
Facebook announced in May 2018 it would stop requiring phone numbers for multi-factor authentication.
Now, amid a growing body of evidence hackers can subvert text-based authentication, Twitter is expanding its options.
The change affords users with more protection from SIM-swapping attacks like the kind that hit Twitter CEO Jack Dorsey in August. Often, hackers are able to convince mobile phone providers to switch a phone number to a new device that’s under their control. With text-based 2FA, technology companies like Google, Twitter and others send an SMS to the attacker, unintentionally giving the hacker a means to infiltrate the target account.
Outsiders took over Dorsey’s account to post a string of racist epithets and bomb threats. In other cases, scammers used SIM swapping to break into known bitcoin investors’ accounts then steal millions of dollars worth of cryptocurrency.
Since then, Twitter also announced it provided email addresses and phone numbers customers used for security to advertisers. The company said the move was an error.
Meanwhile, lawmakers in Washington are asking Twitter for more details about how former employees were able to access users’ personal information, allegedly at the behest of Saudi Arabia.