Twitter has assuredly done the impossible: it’s acceptance users to enroll for its two-factor affidavit (2FA) affairs after acute a phone number. What’s more, it’s also accouterment an option to attenuate SMS-based 2FA, which is known to be flawed and insecure.

The decoupling comes in the wake of revelations that the social blogging belvedere “accidentally” targeted ads at some users by way of their email addresses and phone numbers, which they provided only for annual aegis purposes.

Twitter accepted it didn’t know absolutely how many were impacted by the careless error, but said the issue was fixed as of September.

To setup your Cheep annual for 2FA, all you need to do is download an authenticator app — such as Authy — that generates randomized six-digit ancient passwords to authenticate your character when signing in. Addition addition is to use Yubico’s YubiKey.


2FA is the most able means to aegis your accounts from phishing and credential-stuffing attacks, where passwords stolen from antecedent data breaches are used on addition site.

Although this can be done in a lot of ways — SMS, using an authenticator app, biometrics, or even a accouterments aegis key — SMS-based analysis has proven to be a risky proposition, what with a rising wave of SIM swapping attacks — thereby acceptance cybercriminals to hijack the very SMS letters meant to keep your annual safe.

Things took a turn for the worse in September when hackers allegedly active a SIM swap attack to gain access to the Cheep annual of Jack Dorsey, the company’s CEO, after which it abeyant the adeptness to tweet via SMS messages.

What made Twitter‘s 2FA setup even more arrant was the prerequisite that made phone numbers binding even if you were to use an authenticator app or a concrete key for 2FA — finer acquisition the purpose of alienated SMS-based authentication.

Other major sites, including Google, Facebook, and GitHub, don’t lock users into giving their phone numbers when axis on 2FA.

“Whose idea was it to use a admired announcement identifier as an input to a aegis system. This is like using raw meat to secure your tent adjoin bears,” cybersecurity expert Matthew Green tweeted afterward the incident.

Read next: Satoshi Nakaboto: ‘Bitcoin price abatement accelerates’ :(