After a decade of prodding, Twitter drastically improved its two-factor authentication on Wednesday, expanding an important security tool widely adopted elsewhere online, including Google and Facebook.
The social media company announced support for apps like Google Authenticator and Authy that work offline, independent of carrier or location and are more resistant to eavesdropping or hijacking. Crucially, users can now turn off SMS authentication for the first time. It’s considered one of the least-secure methods of two-factor authentication.
Two-factor authentication typically works by requiring a password as well as a second method to log in. Commonly used second factors include SMS codes, small pieces of hardware — such as USB keys or dongles — or even biometric authenticators like fingerprints or face scans.
Security experts strongly recommend all users turn on two-factor authentication for important internet accounts including email, banking and social media.
Twitter users can upgrade in the settings and privacy section of their profiles.
We’re rolling out an update to login verification.
You’ll now be able to use a third party app for two-factor authentication instead of SMS text messages.https://t.co/UXl3xKLEaG
— Twitter Safety (@TwitterSafety) December 20, 2017
Twitter still lacks support for hardware authenticators like Yubikeys, another tool supported by Facebook and Google among other services.
Hardware authentication dongles are considered more secure by experts but require a purchase and a learning curve. Apps like Google Authenticator are free and still offer significant security benefits for users over Twitter’s previous options.
It wouldn’t be a high-profile rollout without some glitches: Within hours of the new feature’s arrival, some users complained of bugs like Twitter mistakenly removing their entire two-factor setup.