How To Set Up Two-Factor Authentication For Your Twitter Account [2021]
Astri Hirons
Instead of turning 2FA off on your Twitter account, there are two better options: authenticator apps and security keys. They both work using the same principles as SMS-based 2FA. To enable either of these alternatives you will need to visit Twitter, open its Settings and privacy, then Security and account access, Security, and finally Two-factor authentication. (Or just click here if you are logged in). Here you will get the option to use two-factor authentication via an app or using security keys.
These security options are a bit buried in the user interface, but can be accessed by going to Settings and Support then Setting and privacy, followed by Security and account access, then Security, and finally Two-factor authentication.
A hardware security key is a fantastic tool to help stop hackers in their tracks as it offers an additional layer of defense. Even if a hacker has your username and password, the security key will keep your account secure.
When you set up any two-factor authentication on your Twitter account, you'll be given the option to set up a backup code. This is a one-time code that you can use if you don't have access to your authentication app or security key.
If you use text based authentication as an additional level of security for your Twitter account, you may be aware that this option will be reserved for paying Twitter Blue subscribers come mid-March. This post will explain how to enable app based authentication. We found it easier to do on our desktop, with the authenticator code on our phone.
1. While logged in, navigate to Settings and Support > Settings and Privacy > Security and account access > Security > Two-factor authentication.
Two-factor authentication is not required to be a user on Twitter, but it is a proven and easy way to help keep accounts secure. It makes it so if someone wants to hack into an account they'd have to have the password and access to the account owner's device.
Twitter Blue costs $11 a month on Android and iOS in the U.S. It's $8 a month for web users. Users have 30 days to sign up or they will see their SMS two-factor authentication (2FA) turned off automatically, the company said.
Twitter says the reason for this move is due to phone number-based two-factor authentication being "abused by bad actors." But the planned move has riled up many users, concerned about wider implications.
"Twitter users should never have been put in this situation. Making changes to something as sensitive as 2 factor authentication, which could mean the difference between someone's physical safety and a stalker, abuser or authoritarian government gaining access to their account, should never be made in such a reckless and poorly thought out manner," Greer said in her email to NPR.
This is when "an attacker calls your cell phone company pretending to be you and convinces them to transfer your phone number to a new device, then sends the 2 factor authentication code" to themselves, she said.
Chances are you or someone you know has had their social media accounts stolen. This is a big bummer on many levels from trying to get your accounts back, to someone messaging your networks without your knowledge or permission.
To be clear, two-factor authentication is still not required to log into Twitter, although we highly encourage users to enable it. This change just restricts the 2FA methods available for accounts not subscribed to Twitter Blue.
To set up an authentication app to secure your Twitter account, you will need to download one of a number of available applications to your device. They are free in the Apple or Android app stores. If you'd rather not use Google or Microsoft Authenticator, there are other options, including Authy, Duo Mobile and 1Password.
Once you have the app, open the desktop version of Twitter and click on the icon showing ellipses in a circle. There, you'll find "Settings and privacy," then "Security and account access" and finally "Security." Here, you can select "Authentication app" and follow the instructions to set it up. Twitter will ask you to share your email address to do this, if you have not already.
I immediately thought my account had been compromised even though I had a strong password and two-factor authentication configured on it, somewhat possible I guess. I then thought about potentially leaked access tokens.
Word of advise: 1. Double check your authorized connections on Twitter, Facebook, etc. 2. Strong password / 2FA everywhere. 3. Go through emails to find those accounts you probably signed up to a while ago with a shitty password, repeat #1 and #2.
Many of the contacts with whom I spoke said that two-factor authentication had not been enabled because of the difficulties in locking a shared Twitter account to a single phone. This should not be an impediment. A step-by-step guide for setting up two-factor authentication for shared accounts can be found at the end of this blog post.
The number of outlets I spoke to may not be enough to be representative, but the answers are useful. I was expecting the results to be similar to the poll, where journalists in North America and Western Europe were more likely to know what two-factor authentication is. Instead, of the six organizations that use two-factor authentication, only one was in the U.S. The rest were in South Asia and the Americas. Contacts at some of these international companies told me they rely on two-factor authentication not only on Twitter, but on every critical service that offers it.
The easiest way to enable two-factor authentication on shared accounts is by using the teams feature on TweetDeck and then using the app to manage and run the account. With this process, each team member uses their personal Twitter login to access TweetDeck. This allows multiple users to manage and run a shared account from TweetDeck, eliminating the need for team members to log into the shared account directly. TweetDeck, which is an official Twitter app, can be accessed in a browser at , through the Chrome App or as a desktop app. The main account user creates team members by adding Twitter users as contributors or administrators of the shared account.
GroupTweet offers the ability to safely and securely add multiple contributors to your Twitter account, but approaches the workflow in a unique way that our users love. News & Media organizations such as ESPN, FoxNews, SkyNews, the New York Post and others are all using GroupTweet every day to help manage their Twitter accounts safely, securely, and conveniently.
In Twitter's own words, "enabling 2FA ensures that even if your account password is compromised (perhaps due to the reuse of your Twitter password on other, less secure, websites), attackers will still be blocked from logging into your account without access to the additional authentication required."
2FA on Twitter is available regardless of whether you access your account from your smartphone or desktop computer. Once enabled, Twitter will prompt you - alongside requesting your password - to confirm that you are authorised to access the account by entering a six digit code or using a security key.
Which makes it disappointing to discover that more than eight years after Twitter first introduced two-factor authentication to stop hackers from hijacking accounts, only 1 in 50 users have chosen to enable the feature.
Twitter in February 2023 announced that text message two-factor authentication (2FA) is set to become a premium feature for Twitter Blue accounts. Here's why the company's logic behind the decision doesn't make any sense from a security perspective, and why you don't need the feature anyway.
Rather than rely on SMS-based 2FA, Twitter users should be using a mobile authentication app, like Duo, Authy, or Google Authenticator, or the password authenticator built-in to iOS. App-based 2FA is a far more secure alternative, as it never leaves your device and doesn't involve you receiving a code sent to your phone via text message.
Regardless of whether or not you have abandoned your Twitter account in favor of alternative, decentralized services like Mastodon and others, you will still want to take action before March 20 to secure your account in the event that someone breaks in and starts tweeting on your behalf.
The new authentication policy doesn't come into effect until March 20, at which point Twitter says it will disable two-factor authentication for nonsubscribers. Fortunately, there are other authentication methods nonsubscribers can switch to.
Users typically plug these keys into a computer or connect them to their phone while logging into an account. They're a very secure form of authentication because a hacker would need to physically have the key to log into an account.
Under "settings and support," navigate to the "settings and privacy" menu to "security and account access," then to "security," and finally to "two-factor authentication." Here, users should be able to select either a security key or an authentication app. Twitter will need the user's email address to enable this.
Note: If you manage multiple accounts that use the same phone number, it is possible to use login verification for each account. For added security, we recommend enabling login verification for all of your accounts.
Thankfully, Twitter will notify you if account information has been changed, or if your account appears to have been compromised, but it is important to be aware of these other tip-offs when Twitter does not catch the problem.
When we talk about inadequate password security, that can mean using the same password for multiple accounts, using too simple of a password, sharing your password with people you cannot trust or in non-secure channels, or not changing your password regularly. If any of these are relevant to you and the way you handle your Twitter account, you will need to make adjustments to improve the security of your account, even if you are not immediately concerned about your Twitter account being compromised.
dd2b598166