Twitter says users will finally be able to disable SMS-based two-factor authentication (2FA) for their accounts, and use an alternative method only, such as a mobile one-time code (OTP) authenticator app or a hardware security key. Until this week, this was impossible. From a report: If users wanted to use 2FA for their Twitter account, they had to register a phone number and enable the SMS-based 2FA method, even if they wished it or not. Users who wanted to use an OTP mobile authenticator app or a hardware security key, had to enable the SMS-based 2FA first, and they couldn’t disable it. Even if the user chose to use a security key, the SMS-based 2FA method was still active, and exposed the account to attacks known as SIM swaps. Hackers who knew a user’s password would perform a SIM swap to temporarily hijack a user’s phone number, bypass SMS-based 2FA, and then take over that user’s account.
Read more of this story at Slashdot.
Source:
https://it.slashdot.org/story/19/11/22/0937224/twitter-will-finally-let-users-disable-sms-as-default-2fa-method?utm_source=rss1.0mainlinkanon&utm_medium=feed