Reminder: Twitter is disabling a security feature in just two weeks
Twitter users have two weeks left to make sure that their account on the popular social messaging site remains protected with two-factor authentication (2FA). The company announced back in February that it will remove the SMS-based message from the available options for all free users.
Two-factor authentication is a security feature that adds a second authentication step to the sign-in process. Instead of just having to enter username and password to log in, users need to supply a code before the sign-in is authorized.
Twitter supported three methods: SMS, authenticator application and security key. SMS, or text message, is considered an insecure method, as the code is transferred as plain text to the user's mobile device. Certain attacks may be used to intercept these codes. Additionally, these codes are never generated on the user device, but by the service itself, in this case Twitter.
While Twitter's motivation behind the change may be cost-cutting more than improved security for its users, most security experts advice against text messages for two-factor authentication.
The main appeal that text messages have, regardless of whether they use SMS or Email, is that it is the easiest to set up. For SMS, all a user needs to do is add a mobile phone number to the Twitter account. Email is even easier, as most services require an email address during setup.
The two-factor authentication options on Twitter
Free Twitter users are left with two methods for two-factor authentication on Twitter: authenticator app or security key. Authenticator app is a secure application, which users may run on their mobile devices or desktop systems, to generate codes locally. While it requires installation of an app on devices, setup is not overly complicated and codes will be generated locally on the device, which means that any attack that tries to intercept the codes fails, as these are no longer transferred from the service to the user's device.
Security key requires hardware solutions, like a Yubikey, which are linked to services. The physical key needs to be present and the second verification step is usually done with a tap or touch. Codes do not need to be entered.
Both options are available, but security keys do come with a cost. Authenticator apps on the other hand are freely available. You can check out Ashwin's list of the best authenticator apps, or check out Aegis Authenticator as a starting point, which is an open source app that is on Ashwin's list.
Switching from one verification method to another is not all that different from setting up two-factor authentication on Twitter for the first time. Twitter will disable the Text Message method for all free users on March 20, 2023 anyway.
I have published a guide on setting up two-factor authentication using an authenticator app on Twitter. It requires just a few steps and improves account security significantly, even compared to the text message method.