Twitter announced today that users will finally be able to disable SMS-based two-factor authentication (2FA) for their accounts, and use an alternative method only, such as a mobile one-time code (OTP) authenticator app or a hardware security key.
Until today, this was impossible.
If users wanted to use 2FA for their Twitter account, they had to register a phone number and enable the SMS-based 2FA method, even if they wished it or not.
Users who wanted to use an OTP mobile authenticator app or a hardware security key, had to enable the SMS-based 2FA first, and they couldn't disable it.
Even if the user chose to use a security key, the SMS-based 2FA method was still active, and exposed the account to attacks known as SIM swaps.
Hackers who knew a user's password would perform a SIM swap to temporarily hijack a user's phone number, bypass SMS-based 2FA, and then take over that user's account.
For the past two years, many high-profile accounts have been hacked this way, but Twitter never budged on its decision to make SMS-based 2FA mandatory and an always-on option.
Everything changed on August 30, this summer, when hackers used a SIM swap attack to gain access to the Twitter account of Jack Dorsey, the Twitter CEO.
While hackers didn't bypass 2FA in the case of his account, they did expose the dangers of SIM swapping to the Twitter CEO and his security team.
Starting today, users can finally disable SMS-based 2FA, and opt for a more secure 2FA method.
This also means that Twitter users can now delete the phone number associated with their account, and still be able to use 2FA -- something that was not possible before. This also inherently eliminates scenarios where SIM swappers who don't know a user's password can use the SMS-based password recovery feature to hijack accounts -- effectively plugging the SIM swapping attack vector for an account.
Twitter announced the feature today, but it has been under testing for more than a week, as spotted by a user over the weekend