Twitter has changed its security settings to let you use two-factor authentication (2FA) without having to give the service your phone number. Back when Twitter relied on SMS to send users their six-digit 2FA codes this requirement made more sense, but now that it allows them use authentication apps or security keys, however, asking for phone numbers is increasingly unnecessary.
This is a very positive development from Twitter. Not only is SMS vulnerable to SIM-swapping attacks (just ask Twitter CEO Jack Dorsey), but Twitter also recently admitted to “unintentionally” using people’s phone numbers for advertising purposes. Authentication apps are more secure, and you can use them without having to give any more personal details to Twitter than you absolutely need to.
The most secure 2FA method, however, is using a security key, since these don’t rely on you having to type in a six-digit code that a sophisticated hacker could intercept. However, while Twitter supports these as a 2FA method, it’s not ready to let its users rely on them entirely. Responding to a user complaint, one Twitter engineer noted that security keys currently aren’t supported outside of Twitter on the web, so it still asks users to have another 2FA method enabled as a backup.
If you’ve given Twitter your phone number and you want to delete it, then head into settings in the app or on Twitter’s website, and then click into the “Account” menu. From here, tap your phone number, and then select the delete option. If you’re currently using SMS as a 2FA method then you’ll be warned that deleting it will turn it off, so be sure to set up an alternative 2FA method such as an authentication app to use in its place.