Twitter allowed users two-factor authentication without SMS

Two-factor authentication on Twitter
Written by Valdis Koks

Twitter allowed two-factor authentication without SMS. The developers said that users will finally be able to use not only SMS messages, but also alternative methods of two-factor authentication (2FA), including an application with one-time codes or hardware security keys.

Previously, in order to use 2FA, users necessarily had to link a phone number to their accounts and include 2FA on the basis of SMS messages. Only after that it was possible to activate another method of two-factor authentication, and it was still impossible to disable the use of SMS (even if the user eventually preferred another 2FA option).

We want to give you the most secure experience on Twitter. Today, we updated our login process to support WebAuthn for an enhanced Two-Factor Authentication (2FA), so you can easily and securely authenticate your login with a single tap”, — reported Twitter developers.

The problem raised because Twitter accounts became vulnerable to SIM swap attacks. The essence of such attacks is that the criminal addresses the representatives of the victim’s mobile operator and uses social engineering.

For example, posing as the real owner of the number, the attacker claims that he has lost or broken the SIM card and is trying to transfer the number to the new SIM card. Then, the attackers steal accounts tied to the phone number, effectively stealing other people’s identities. Such attacks are often used to steal large amounts of cryptocurrency or to compromise “expensive” accounts on social networks.

Read also: AI-based Guard tool explores privacy policies

In recent years, the accounts of many celebrities have been hacked in this way, however, Twitter did not abandon its decision to make 2FA based on SMS mandatory and always active. Obviously, an incident that occurred almost three months ago caused the developers to change their minds.

Recall that at the end of August 2019, the account of the head of Twitter Jack Dorsey was compromised. Although in this case the problem was not linked with 2FA bypass, nevertheless, as the investigation showed, the attackers managed to “steal” Dorsey’s SIM card, and thanks to this they could publish notes on his behalf. After that, apparently, the company understood the danger of SIM swap attacks.

As a result, Twitter users can now delete the phone number associated with their account, but continue to use two-factor authentication, which was previously impossible.

For almost a year now, Twitter supported 2FA based on security keys, but this standard (FIDO U2F) only supports a limited number of browsers and authenticators, which limits its widespread availability.

As of today, we are replacing this with the FIDO2 WebAuthn protocol which allows support for more browsers and authenticators while also retaining all of the phishing resistant capabilities security key-based 2FA provides”, — reports Brian Wong, software engineer of Twitter.


WebAuthn is a web authentication standard approved by the World Wide Web Consortium (W3C) and and has been adopted by other tech industry leaders. The WebAuthn API allows for strong browser-to-hardware-based authentication using devices such as security keys, mobile phones (NFC, BLE), and other built-in authenticators such as TouchId.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment