How to keep Twitter safe without text two-factor authentication

Twitter makes MAJOR security change as it shuts down text message two-factor authentication – here’s how to keep YOUR account safe

  • Twitter has done away with a form of two-factor authentication today
  • Users can no longer receive a security code in a text message
  • MailOnline takes a look at the other ways you can keep your account secure 

Twitter has made a major security change today, having ditched the option of text message two-factor authentication (2FA) for the majority of users. 

2FA adds an extra layer of protection by sending a six-digit code to the account holder which must be inputted after the password to gain access.

From today, most Twitter users no longer have the option of being sent the code in a text, as the company has seen it ‘be used – and abused – by bad actors’.

Twitter Blue subscribers who pay $8/month will still be able to use text message two-factor authentication.

Thankfully, there are several other ways you can keep your Twitter account safe – here’s everything you need to know.  

Twitter has done away with a form of two-factor authentication today, which protects accounts from being accessed by cybercriminals. The security feature sends a six-digit code to the account holder each time they log in, which must be inputted to gain access (stock image)

Twitter users now no longer have the option of being sent an authentication code in a text, as the company has seen it ‘be used – and abused – by bad actors’. Twitter Blue subscribers will still be able to use text message two-factor authentication


Two-factor authentication adds an extra layer of security to apps and websites by asking for both a password and a unique code when logging in. 

If anyone tries to log into an account set up with two-factor authentication, they will be sent a code through a different channel, like in a text message or authentication app.

Even if a hacker has obtained the user’s email address and password, they won’t be able to access the account without this extra code.

While the extra layer of security isn’t completely hacker proof, it’s far more robust.

Use two-factor authentication – Authentication app

Twitter rolled out two-factor authentication with a text message in 2013, following a number of high-profile hacks.

Six years later, after realising that many users were falling victim to ‘SIM swapping’ scams, the firm introduced the ability to use authentication apps or hardware security keys instead.

SIM swapping is a scam whereby cyberthieves masquerade as the phone’s owner and convince the mobile provider to port the device’s number to their own SIM.

After that, providing they have the victim’s Twitter password, they can log-in to their account using text message two-factor authentication.

The addition of the new security methods came just after Twitter’s then-CEO Jack Dorsey’s account by stealing his mobile phone number.

To set up your Twitter account with two-factor authentication using a special authentication app, first you need to download one from your device’s app store.

Popular apps include Google Authenticator, Authy, LastPass Authenticator, Duo Mobile and 1Password.

Go to your account settings, click on ‘Security and account access’, ‘Security’ and then ‘Two-factor authentication’.

Tick ‘Authentication app’, click ‘Get Started’ and you will be asked to verify your account by inputting a code you will be sent over email.

After that is done, if on desktop, Twitter will give you a QR code to scan with your authentication app on your phone, and will give you a six-digit security code.

If you are setting up using your phone, click ‘Link app’, and your device will prompt you to choose the app you want to use, which will then generate the security code.

Once you’ve entered the code back on the Twitter app, the two-factor authentication will be set up.

This means that after you enter your password on Twitter, you will be prompted to open the authentication to approve the log-in request.

Use two-factor authentication – Hardware security key

Hardware security keys are physical devices which act in the same way as an authentication app.

They are usually in the form of a USB, but can also be a device that connects to a phone or computer over Bluetooth or lightning port. 

The benefits of these over an authentication app is that they are harder to steal as they are a physical object separate from your phone or computer.

However they also cost money to buy, and can be easily lost.

To link one with your Twitter account, go to your account settings, click on ‘Security and account access’, then ‘Security’ and ‘Two-factor authentication’.

Tick ‘Security Key’, and you will be taken to the browser version of Twitter to complete the set-up, if using the app.

Click ‘Get Started’ and connect your hardware security key to the phone or computer, and you will be taken through the setup instructions.

Once this is complete, you’ll be prompted to connect your security key to the device and press a button on it to verify your log in.

Hardware security keys are physical devices which act in the same way as an authentication app. They are usually in the form of a USB, but can also be a device that connects to a phone or computer over Bluetooth or lightning port (stock image)

Strong password

The first line of defence of any online account is its password, and choosing a strong, account-specific one can help protect you from cyber attacks.

According to internet security provider Norton, ‘the shorter and less complex your password is, the quicker it can be for the program to come up with the correct combination of characters.’

‘The longer and more complex your password is, the less likely the attacker will use the brute force method, because of the lengthy amount of time it will take for the program to figure it out,’ it advised. 

‘Instead, they’ll use a method called a dictionary attack, where the program will cycle through a predefined list of common words that are used in passwords.’

Here are some steps to follow when creating a new password:


  • Use a combination of numbers, symbols, uppercase and lowercase letters
  • Ensure that the password is at least eight characters long
  • Use abbreviated phrases for passwords
  • Change your passwords regularly
  • Log out of websites and devices after you have finished using them


  • Choose a commonly used password like ‘123456’, ‘password’, ‘qwerty’ or ‘111111’
  • Use a solitary word. Hackers can use dictionary-based systems to crack passwords
  • Use a derivative of your name, family member’s name, pet’s name, phone number, address or birthday
  • Write your password down, share it or let anyone else use your login details
  • Answer ‘yes’ when asked to save your password to a computer browser


Use two-factor authentication with an authentication app or hardware security key. 

Use a strong password.

Avoid logging in using public Wi-Fi or devices.

Avoid using Twitter to log in to third party apps. 

Keep device and Twitter app updated.

Keep an eye on alerts from Twitter.

Be wary of suspicious links.

Avoid logging in using public Wi-Fi or devices

A good way of protecting your Twitter account from attack is by not using it while connected to a public Wi-Fi network.

Cybercriminals have been known to set up their own Wi-Fi networks that pose as ones offered at public places, like cafes and hotels.

Once a victim connects, the criminal can see all of their actions, including if they make any purchases or if they log into their bank accounts. 

They can also install something called a ‘Rogue Access Point’ on a company’s network without their knowledge.

These access points override the legitimate network, allowing the hacker to launch an attack and intercept data.

University of Adelaide information security expert Dr Malcolm Pattinson labelled WiFi as the ‘most insecure mechanism’ for sharing information and a ‘goldmine’ for criminals.

He advised people not to use public WiFi at all and particularly not for online banking.

‘It’s so easy to tap into and they can track keystrokes,’ he told The Advertiser. ‘They get your credit card number and your password.’

Twitter also recommends avoiding logging in to your account on a public device, like a library computer, but if you do, remember to log off when done.

Avoid using Twitter to log in to third party apps

Many third-party apps allow users to log in using their pre-existing Twitter account, rather than making a new, account-specific one.

This grants the app access, and they are then able to take action with the account, or lock the owner out.

It is therefore not advised to use this method to log in, but if you do, you can always revoke the app’s access through the ‘Applications’ tab in the Twitter settings.

Keep device and Twitter app updated 

Another way of preventing your Twitter account being hacked is by ensuring you have the latest version of the app downloaded. 

This means it is equipped with all the latest security patches designed to prevent a wide variety of cyber attacks.

The same goes for the browser and device operating system, which also require regular updates.

Downloading security software which can scan a device for viruses, spyware, and adware, is also a good idea.

Keep an eye on alerts from Twitter

Twitter will email you if it detects a suspicious log-in to your account, or if the account is logged into on a new device for the first time.

Keep an eye on these notifications, and if it notifies you of activity you think was from someone else, you can take appropriate action like changing the password.

Twitter will also notify you if the email address associated with your account has been changed, and suggest steps to regain control if it was not you.

Be wary of suspicious links

Cyber criminals have been known to create web pages that look like the Twitter log-in page, in order to steal user details.

Sometimes people post or send links using URL shorteners, like or TinyURL, but these hide the site’s real domain name.

This leaves users vulnerable, as they cannot immediately tell whether the site is genuine or not when they click on it. 

Never put your email and password into a site that does not have ‘’ as it is not genuine and may not be safe.


Have I Been Pwned?

Cybersecurity expert and Microsoft regional director Tory Hunt runs ‘Have I Been Pwned’.

The website lets you check whether your email has been compromised as part of any of the data breaches that have happened. 

If your email address pops up you should change your password.

Pwned Passwords

To check if your password may have been exposed in a previous data breach, go to the site’s homepage and enter your email address.

The search tool will check it against the details of historical data breaches that made this information publicly visible. 

If your password does pop up, you’re likely at a greater risk of being exposed to hack attacks, fraud and other cybercrimes.

Mr Hunt built the site to help people check whether or not the password they’d like to use was on a list of known breached passwords. 

The site does not store your password next to any personally identifiable data and every password is encrypted

Other Safety Tips

Hunt provides three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and save unique passwords for each service you use. 

Next, enable two-factor authentication. Lastly, keep abreast of any breaches

Source: Read Full Article