Twitter users can finally delete their mobile phone number from their account while still being able to use 2FA to additionally secure it.
The move comes after too many instances of SIM swapping attackers hijacking users’ accounts and almost three months after Twitter CEO Jack Dorsey became a victim of such an attack himself.
Twitter first offered users the option to enable two-factor authentication on their account in May 2013.
At the time, users had to associate a mobile phone number with the account and could only receive the second authentication factor via SMS.
Since then, Twitter added the option of 2FA via an OTP mobile authenticator app or a hardware security key, but to use any of the two, users had to first enable SMS-based 2FA. They could switch that off after finishing setting up 2FA via authenticator app or via hardware key AND authenticator app, but couldn’t delete their phone number from their Twitter account without completely disabling 2FA.
This allowed attackers with the knowledge of their target’s phone number to trick mobile carriers into porting the number to a new SIM card and to gain access to the target’s account by abusing the SMS-based password recovery option.
In August 2019, Jack Dorsey’s Twitter account was taken over by SIM swapping attackers and the company temporarily turned off the ability to Tweet via SMS to protect people’s accounts.
In October, Twitter admitted that email addresses and phone numbers users added to their accounts for safety or security purposes (e.g., two-factor authentication) “may have inadvertently been used for advertising purposes.”
Beware before deleting your phone number
On Thursday, Twitter finally announced that users can now use 2FA without a phone number on file, i.e., they can safely delete their phone number from their account.
The option, though, is only available to users who opt for 2FA via an OTP mobile authenticator app.
— Péter Szilágyi (@peter_szilagyi) November 21, 2019
Jared Miller, a Twitter software engineer working in account security, explained that Twitter still requires users to have a second method along with security keys since the latter isn’t currently supported outside the web.
“If you’d like to disable SMS, you need to also have a mobile security app. We know this might not be ideal but we’re going to keep working on it,” he added.
UPDATE (August 2, 2021, 01:10 a.m. PT):
Earlier this year Twitter announced that users can enroll one or more security keys as the only form of 2FA on their Twitter account (without a backup 2FA method).
Current Twitter 2FA options include text message, authentication app, or security key.