Advertisement

Twitter, tightening security, stops requiring phone numbers for authentication

The move comes after hackers infiltrated Twitter CEO Jack Dorey's account.
Twitter login, Twitter authentication, twitter coronavirus
(Reuters)

Twitter says it will allow users to remove their phone numbers from the secure login process, a move that has triggered widespread praise from the security community.

Users can now use a one-time code, an app or a physical security key to as a second factor of authentication into their account. Before Thursday, Twitter customers trying to login in a secure way only could enter their username and password, then ask the site to send them an SMS message to verify their identity. The company also forced users who did use a third-party authentication app to use their phone number to sign up.

Facebook announced in May 2018 it would stop requiring phone numbers for multi-factor authentication.

Now, amid a growing body of evidence hackers can subvert text-based authentication, Twitter is expanding its options.

Advertisement

https://twitter.com/TwitterSafety/status/1197621020229804054

The change affords users with more protection from SIM-swapping attacks like the kind that hit Twitter CEO Jack Dorsey in August. Often, hackers are able to convince mobile phone providers to switch a phone number to a new device that’s under their control. With text-based 2FA, technology companies like Google, Twitter and others send an SMS to the attacker, unintentionally giving the hacker a means to infiltrate the target account.

Outsiders took over Dorsey’s account to post a string of racist epithets and bomb threats. In other cases, scammers used SIM swapping to break into known bitcoin investors’ accounts then steal millions of dollars worth of cryptocurrency.

Since then, Twitter also announced it provided email addresses and phone numbers customers used for security to advertisers. The company said the move was an error.

Meanwhile, lawmakers in Washington are asking Twitter for more details about how former employees were able to access users’ personal information, allegedly at the behest of Saudi Arabia.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts