Twitter has announced that you can now use third-party apps (such as Google Authenticator, Authy, or 1Password) to verify yourself at login.
We’re rolling out an update to login verification.
— Twitter Safety (@TwitterSafety) December 20, 2017
Which is great news, because previously – unlike many other online services – Twitter required you to either be capable of receiving SMS verification codes sent to your mobile phone, or to use their own smartphone app to verify a login.
Using SMS-based two-factor authentication has been frowned upon for some time, as criminals are able to exploit known weaknesses in the SS7 cellphone network to intercept text messages. In addition, there are countless malicious Android apps that are capable of capturing SMS codes as they are sent to devices, and then passing them on to account hackers.
So, hopefully you’re convinced that it makes really good sense to enable two-factor authentication for your Twitter account, and even better to do it in a way that doesn’t involve you relying upon vulnerable SMS messages.
Here’s how to enable the feature (known as Login Verification in Twitter parlance):
1. Log into Twitter at www.twitter.com from your desktop’s browser.
2. In the top right-hand corner, click on your avatar to bring up a drop-down menu. Click on Settings and privacy.
3. Under Account, choose Set up login verification
If you have not previously configured 2FA for Twitter, you will still need to initially set up the service with a mobile phone number and SMS. Twitter will walk you through that process. Once that’s in place, you’ll be able to Twitter to using an authentication app like Google Authenticator instead. Yes, this is a bit dumb…
Assuming you’ve been through the rigmarole of initially setting up Twitter’s 2FA with SMS, here’s what
you do next.
4. Click on Get backup code. This will generate an emergency backup code that you can use, if for any reason, you lose access to the device running your authenticator app.
Make a note of your backup code and keep it safe and secure. You definitely don’t want this falling into the wrong hands. For obvious reasons I’ve obscured my backup code in the screenshot below.
5. Click on Review your login verification methods. It’s time to setup a mobile authentication app. In the Mobile security app section click on Set up.
6. Scan the displayed barcode into your preferred authentication app.
Your app should now be able to generate the codes you require to login. Twitter will ask you to enter a code to check that everything is working properly.
7. Think you’re done? Not quite. You need to make sure that Twitter won’t still try to send you its six-digit login codes via SMS.
Go to Text Message and click on Edit.
8. Under Text message choose Off, and click Save changes.
Congratulations! You’ve done it.
From now on, whenever you try to login to your Twitter account you will be asked for the six-digit login verification code from your authenticator app after you have entered your username and password. Even if your password is compromised in future, hackers are going to find it considerably more difficult to access your account.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.