Twitter brings in WebAuthn two-factor authentication to help protect accounts

Twitter has supported 2FA (two-factor authentication) for many years but is now looking to up its game. Thanks to added support for the WebAuthn standard, there’s now no need to use your mobile phone number as a way of proving your identity.

That’s good news, because although generally more secure than relying on just a password, for a determined hacker, this particular method of 2FA was vulnerable to SIM-swapping attacks.

Related: Best Android apps

As Twitter points out in the blog post announcing the change, it’s actually supported security keys for over a year, but it still required you to link your phone number as a backup. It also relied on the FIDO U2F standard, which the company concedes is only supported by a handful of browsers and authenticators. 

WebAuthn, on the other hand, looks set to be far more widely updated. As Twitter writes: “The WebAuthn API allows for strong browser-to-hardware-based authentication using devices such as security keys, mobile phones (NFC, BLE), and other built-in authenticators such as TouchId.

“Given its relative benefits, WebAuthn is supported by most modern browsers including Chrome, Edge, Firefox and enjoys better coverage when compared to the former U2F standard.”

 

For the moment, Twitter says it only supports physical security key authenticators with WebAuthn, but the company says that it “expect[s] to add support for other options in the future.” If you have a supported authenticator already, you can register it by heading to your account page, clicking through to “Security” and then “Two-factor authentication”. 

Not being vulnerable to SIM-swap attacks is only one reason security-conscious people may be relieved by the shift away from phone numbers. Having your phone number attached to an online account isn’t great for privacy – especially when Twitter has already admitted to tying said numbers to advertising for a time by mistake.