Twitter Updates 2FA. Allows More Control Over SMS!
Great news, Twitter has just made an important update to how its 2FA works. They are allowing users to take control over if SMS is used for 2FA logins to Twitter, and this is a GREAT improvement, well done Twitter.
We’re rolling out an update to login verification.
You’ll now be able to use a third party app for two-factor authentication instead of SMS text messages.https://t.co/UXl3xKLEaG
— Twitter Safety (@TwitterSafety) December 20, 2017
This tweet, however, is a little misleading. It implies that Twitter has just now made available the ability to use third-party authenticator apps like Authy. In reality, you’ve been able to use Authy two-factor authentication with Twitter for over a year now. What they have changed is the control over SMS being used for 2FA.
As shown in the image above, Twitter users can now PREVENT SMS delivery of login security codes. This is a really significant and long overdue change from Twitter. Many people elect to use the Authy 2FA app instead of getting login codes by text message due to fears over the security of SMS.
Before this change, SMS was a requirement to the configuration of 2FA on Twitter. That meant those who set up TOTP (time-based one-time password) protection because they wished to avoid SMS, were still concerned because SMS remained a valid fallback option at login, therefore negating the security advantages of app-based 2FA. Twitter’s announcement this week allows users to remove SMS as a 2FA option, and rely solely on their Authy app for the 2FA code.
How To Protect Your Tweets With Authy 2FA
So if you have not yet done so, go and set up 2FA on your Twitter account. Note that you still have to complete a phone verification step before you can secure your Twitter account with Authy. But once done, you can then go back and disable SMS.
Be aware that Twitter also uses SMS as a way for you to recover your account if you forget your password. So when disabling SMS, make sure you get and safely store a backup. From Twitter’s Login Verification page, just click on the “Get backup code” button and print the code or write it down, and keep it somewhere safe.