It's time to change your Twitter security settings!?
That's because the company is finally, finally fixing a major issue with its two-factor authentication security settings.
Twitter will now let users remove their phone number from their login verification settings, in a move that's already delighting security-nerd Twitter.?
Another ?? update today: you can now use Two Factor Authentication without linking a phone number. If you already have your phone number linked along with App-based 2FA, you can unlink your ?? it in the "Account" section of your settings while still keeping 2FA on. https://t.co/t63iRz2lIy
— Kayvon Beykpour (@kayvz) November 21, 2019
If you're not already familiar, two-factor authentication (2FA) adds an extra layer of security to your account so it's more difficult to hack. One common method is to use a phone number to receive SMS codes upon logging in, which are required in addition to your normal login credentials.
The issue with this is that text messages aren't very secure. And relying on SMS-based 2FA can have disastrous results when a determined hacker is involved, which is why most security experts recommend an app-based 2FA method like Google Authenticator. Otherwise, you're at risk of falling victim to SIM swapping, or a number of other creative methods hackers use to intercept text messages.
The problem for Twitter — and the reason why its 2FA has been widely criticized — is that up until now, the app still required users to opt into SMS security codes even when a third-party authentication app was enabled. Twitter has never publicly offered an explanation for this despite it being a major point of frustration for its security-minded users.?
There's also the not-at-all-alarming fact that Twitter recently admitted it had "inadvertently" used people's 2FA phone numbers for ad targeting. (The company apologized and said it ended the practice.)
Luckily, Twitter users no longer have to worry about any of this. As of today, the company is updating its security settings so it's possible to use two-factor authentication without adding a phone number.
And, just in case it wasn't already completely obvious: Yes, you should absolutely change this setting right now.
Head to your login verification settings (also available here) and make sure that "text message" is unchecked. (A Twitter spokesperson confirmed that the feature is still rolling out, so if you get a notification that removing text messages will disable login verification, hang tight and try again a little later.) Then, you can delete your phone number in the "account" section of your settings.
Then, breathe a sigh of relief knowing that your account is now much harder to hack.?