Twitter two-factor authentication via 2FA apps and hardware tokens

Protectimus
Feb 20, 2020 · 7 min read

With over 145 million active users Twitter is widely used not only for personal entertainment but for business and political agendas too. Yet, surprisingly (or not, considering that they did admit to using phone numbers for targeting ads) Twitter has been reluctant to forgo SMS to deliver one time passwords for their 2 step verification for a very, very long time. Until finally, in November last year, they gave in and allowed for Twitter two-factor authentication without requiring the phone number.

In this post we will look into all the 2FA methods Twitter supports, show you how to activate each of them and how to make sure you are able to login even if you lose your 2FA Twitter token.

How to enable Twitter 2FA via SMS and whether it’s worth it

As we’ve already mentioned above — we are decidedly against Twitter 2FA SMS based. As a matter of fact — we vehemently insist that using SMS to deliver verification code for MFA anywhere, not only in Twitter 2FA, is not safe and should be avoided if at all possible.

Why are we so against SMS? While it is convenient and cheap to use, it is also astonishingly easy to hack. The ways to break into an account that’s protected only this way are numerous. Starting with a simple SIM swap and ending with more complex things like intercepting the passwords by exploiting the numerous vulnerabilities of the telecom infrastructure. We’ve talked about these and other SMS 2FA vulnerabilities like fake cell towers extensively before, you can read it here.

Yet, while Twitter 2FA without SMS is the way to go, we do understand that circumstances might be demanding otherwise and one might want to know how to send Twitter two-factor authentication code via SMS. So here’s a simple guide on it:

  1. Go to your account settings (“More” → “Settings and privacy”) and find “Security” →”Two-factor Authentication”.
  2. Check the “Text message” box and press “Get Started”.
  3. Enter your user pass then press on “Verify”. If there’s no telephone number allied with the user, you will need to provide one now.
  4. Type in the Twitter confirmation code that was messaged to the provided number. Next you’ll get a Twitter backup code on the screen, make sure to save it, or make a screenshot and save that in a secure place. We’ll expand on why later in this article.
  5. Click “Got it” to finish.

From now on to get into your Twitter account on any device, be it Twitter mobile or desktop, an authentication code will be required and that code will be messaged to your phone.

| Read also: 2FA Chatbots vs. SMS Authentication

Twitter two-factor authentication with code generator app

So we’ve established that Twitter two factor authentication without phone number is much more preferable. But what are the alternatives? A 2FA code generator app for Twitter is a nice Twitter phone number bypass that provides more security than SMS ever could. A one-time twittercode is generated directly on the smartphone, which eliminates a good portion of vulnerabilities that can be exploited to gain unauthorized access to your Twitter account. A Twitter verification code hack is way harder to do if the password is not transmitted via GSM, or even Internet.

Of course, this type of MFA is not a bulletproof option. Even if the Twitter code generator app does not require the Internet to operate, the phone is still connected and as such is vulnerable. Moreover, you can’t avoid a stolen Twitter app if the phone itself is stolen.

But an MFA app is still a good and safer choice. There’s an abundance of apps to choose from and most of them are either cheap or free. And chances are — you already have one of them installed, there’s even a Twitter 2 factor authentication Google Authenticator option. In case you are not sure which Twitter verification code generator is the best for you here’s a comprehensive list of the best 2FA apps currently available.

So, how to activate code generator feature for Twitter?

  1. In the settings menu go to “Security” →”Two-factor Authentication” where the “Authentication app” box needs to be checked.
  2. Make sure to study the provided guide and press the “Start” button.
  3. If you haven’t yet got an MFA app choose one and install it. After the Twitter code generator app download is done and the installation is complete scan the QR code provided by Twitter to connect the MFA application with Twitter login. Do so and click “Next”
  4. Type in the pass produced by the MFA application and click the “Verify” button.

How to enable Twitter two-factor authentication with a hardware token

Hardware tokens are the most bulletproof defense measure you can get when it comes to MFA. These small devices are not connected to any network, their only purpose is to generate one-time passes. As you can imagine, intercepting such a password is impossible. As well as hacking the token itself. There simply is no entryway.

To enable two-factor authentication Twitter suggests utilizing USB tokens, but this approach still requires SMS or 2FA app activation. You can find how to do it here.

The best physical token to use for Twitter authentication is not a USB token though, it’s the programmable token Protectimus Slim NFC. Why? First of all — the security key is not hardcoded into them, which means they can be programmed to be reused with another account. Second — they are impenetrable for any malware, you do not need to connect them to a computer, which is a lot more secure. You can easily use them for Twitter mobile log in. Finally, they are as easy to activate as any MFA application. Note that you’ll need an Android smartphone with NFC to connect this hardware token to Twitter.

Here’s how:

  1. Download Protectimus TOTP Burner application. The app is currently available for Android smartphones only.
  2. Repeat steps 1 and 2 from the previous paragraph. Start adding Authentication app on Twitter.
  3. Enable NFC and scan the QR code with the secret key with the Protectimus TOTP Burner application. Instead of scanning the Twitter QR code with an MFA app you need to scan the code with the Burner app. If the scan is completed successfully the app will show you a “Next” button, click it.
  4. “Burn” the secret key into the hardware token. Turn the Protectimus Slim NFC token on and put it close to the smartphone’s NFC antenna. When the TOTP Burner application recognizes the token you’ll hear a signal, then tap a “Continue” button.
  5. Enter the one-time password from the token on Twitter to verify it and enable 2-factor authentication. Now that the token is activated all you need to do is enter the pass it generates on Twitter.

| Read also: TOTP Tokens Protectimus Slim NFC: Frequently Asked Questions

How to download backup codes for your Twitter account

Sadly, no matter how secure the MFA method you choose is, life happens and tokens get lost, phones stolen and passwords forgotten. That’s why we mentioned briefly above that you’ll want to save the backup code Twitter generates when you turn on Twitter two factor authentication. Let’s expand on that a bit.

As has already been mentioned, Twitter backup code generator is activated in time with the 2FA activation on any Twitter client, be it mobile, desktop, or app. But 4 more additional backup codes can be generated from twitter.com at any time.

Make sure to place these backup account passwords in a secure place, you can store them as screenshots, or printouts, or just write them down.

In the event that the phone is lost, or the token is broken, or even if the phone number is changed, one of these codes will be used to restore access to your Twitter account.

The codes have to be applied in the exact sequence they were generated; a code used out of order will revoke all the codes generated before it.

Twitter backup codes are to be used for twitter.com and mobile twitter, as well as for Twitter clients, and Android and iOS apps. They can not be used for third party apps that are associated with the Twitter account. For those you will need temporary passwords, so make sure not to confuse the two.

Temporary passwords are sent out by Twitter automatically when you enable 2FA and need to login on other devices. But your own temp password can be generated as well from your Twitter account’s security settings in the “Additional methods” part.

Read more:

Originally published at https://www.protectimus.com on February 20, 2020.

The Startup

Get smarter at building your thing. Join The Startup’s +724K followers.

Protectimus

Written by

Two-factor authentication solutions for business. Secure your organization’s and user’s data with MFA: https://www.protectimus.com/

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +724K followers.

Protectimus

Written by

Two-factor authentication solutions for business. Secure your organization’s and user’s data with MFA: https://www.protectimus.com/

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +724K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store