Twitter Two-Factor Authentication in Details

With over 145 million active users Twitter is widely used not only for personal entertainment but for business and political agendas too. Yet, surprisingly (or not, considering that they did admit to using phone numbers for targeting ads) Twitter has been reluctant to forgo SMS to deliver one time passwords for their 2 step verification for a very, very long time. Until finally, in November last year, they gave in and allowed for Twitter two-factor authentication without requiring the phone number.

In this post we will look into all the 2FA methods Twitter supports, show you how to activate each of them and how to make sure you are able to login even if you lose your 2FA Twitter token.

How to enable Twitter 2FA via SMS and whether it’s worth it

As we’ve already mentioned above — we are decidedly against Twitter 2FA SMS based. As a matter of fact — we vehemently insist that using SMS to deliver verification code for MFA anywhere, not only in Twitter 2FA, is not safe and should be avoided if at all possible.

Why are we so against SMS? While it is convenient and cheap to use, it is also astonishingly easy to hack. The ways to break into an account that’s protected only this way are numerous. Starting with a simple SIM swap and ending with more complex things like intercepting the passwords by exploiting the numerous vulnerabilities of the telecom infrastructure. We’ve talked about these and other SMS 2FA vulnerabilities like fake cell towers extensively before, you can read it here.

Yet, while Twitter 2FA without SMS is the way to go, we do understand that circumstances might be demanding otherwise and one might want to know how to send Twitter two-factor authentication code via SMS. So here’s a simple guide on it:

  1. Go to your account settings (“More” → “Settings and privacy”) and find “Security” →“Two-factor Authentication”.
  2. Check the “Text message” box and press “Get Started”.
  3. Enter your user pass then press on “Verify”. If there’s no telephone number allied with the user, you will need to provide one now.
  4. Type in the Twitter confirmation code that was messaged to the provided number. Next you’ll get a Twitter backup code on the screen, make sure to save it, or make a screenshot and save that in a secure place. We’ll expand on why later in this article.
  5. Click “Got it” to finish.
Twitter two-factor authentication via SMS

From now on to get into your Twitter account on any device, be it Twitter mobile or desktop, an authentication code will be required and that code will be messaged to your phone.

| Read also: 2FA Chatbots vs. SMS Authentication

Twitter two-factor authentication with code generator app

So we’ve established that Twitter two factor authentication without phone number is much more preferable. But what are the alternatives? A 2FA code generator app for Twitter is a nice Twitter phone number bypass that provides more security than SMS ever could. A one-time twittercode is generated directly on the smartphone, which eliminates a good portion of vulnerabilities that can be exploited to gain unauthorized access to your Twitter account. A Twitter verification code hack is way harder to do if the password is not transmitted via GSM, or even Internet.

Of course, this type of MFA is not a bulletproof option. Even if the Twitter code generator app does not require the Internet to operate, the phone is still connected and as such is vulnerable. Moreover, you can’t avoid a stolen Twitter app if the phone itself is stolen.

But an MFA app is still a good and safer choice. There’s an abundance of apps to choose from and most of them are either cheap or free. And chances are — you already have one of them installed, there’s even a Twitter 2 factor authentication Google Authenticator option. In case you are not sure which Twitter verification code generator is the best for you here’s a comprehensive list of the best 2FA apps currently available.

So, how to activate code generator feature for Twitter?

  1. In the settings menu go to “Security” →“Two-factor Authentication” where the “Authentication app” box needs to be checked.
  2. Make sure to study the provided guide and press the “Start” button.
  3. If you haven’t yet got an MFA app choose one and install it. After the Twitter code generator app download is done and the installation is complete scan the QR code provided by Twitter to connect the MFA application with Twitter login. Do so and click “Next”
  4. Type in the pass produced by the MFA application and click the “Verify” button.
Twitter two-factor authentication via 2FA app

How to enable Twitter two-factor authentication with a hardware token

Hardware tokens are the most bulletproof defense measure you can get when it comes to MFA. These small devices are not connected to any network, their only purpose is to generate one-time passes. As you can imagine, intercepting such a password is impossible. As well as hacking the token itself. There simply is no entryway.

To enable two-factor authentication Twitter suggests utilizing USB tokens, but this approach still requires SMS or 2FA app activation. You can find how to do it here.

The best physical token to use for Twitter authentication is not a USB token though, it’s the programmable token Protectimus Slim NFC. Why? First of all — the security key is not hardcoded into them, which means they can be programmed to be reused with another account. Second — they are impenetrable for any malware, you do not need to connect them to a computer, which is a lot more secure. You can easily use them for Twitter mobile log in. Finally, they are as easy to activate as any MFA application. Note that you’ll need an Android smartphone with NFC to connect this hardware token to Twitter.

Here’s how:

  1. Download Protectimus TOTP Burner application.

    The app is currently available for Android smartphones only.

  2. Repeat steps 1 and 2 from the previous paragraph.

    Start adding Authentication app on Twitter.

  3. Enable NFC and scan the QR code with the secret key with the Protectimus TOTP Burner application.

    Instead of scanning the Twitter QR code with an MFA app you need to scan the code with the Burner app. If the scan is completed successfully the app will show you a “Next” button, click it.How to program Protectimus Slim NFC

  4. “Burn” the secret key into the hardware token.

    Turn the Protectimus Slim NFC token on and put it close to the smartphone’s NFC antenna. When the TOTP Burner application recognizes the token you’ll hear a signal, then tap a “Continue” button.

  5. Enter the one-time password from the token on Twitter to verify it and enable 2-factor authentication.

    Now that the token is activated all you need to do is enter the pass it generates on Twitter.

| Read also: TOTP Tokens Protectimus Slim NFC: Frequently Asked Questions

How to download backup codes for your Twitter account

Sadly, no matter how secure the MFA method you choose is, life happens and tokens get lost, phones stolen and passwords forgotten. That’s why we mentioned briefly above that you’ll want to save the backup code Twitter generates when you turn on Twitter two factor authentication. Let’s expand on that a bit.

As has already been mentioned, Twitter backup code generator is activated in time with the 2FA activation on any Twitter client, be it mobile, desktop, or app. But 4 more additional backup codes can be generated from twitter.com at any time.

How to download Twitter backup codes

Make sure to place these backup account passwords in a secure place, you can store them as screenshots, or printouts, or just write them down.

In the event that the phone is lost, or the token is broken, or even if the phone number is changed, one of these codes will be used to restore access to your Twitter account.

The codes have to be applied in the exact sequence they were generated; a code used out of order will revoke all the codes generated before it.

Twitter backup codes are to be used for twitter.com and mobile twitter, as well as for Twitter clients, and Android and iOS apps. They can not be used for third party apps that are associated with the Twitter account. For those you will need temporary passwords, so make sure not to confuse the two.

Temporary passwords are sent out by Twitter automatically when you enable 2FA and need to login on other devices. But your own temp password can be generated as well from your Twitter account’s security settings in the “Additional methods” part.

Read more:

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On

18 Comments

  1. Thank you, Anna.
    Very useful information

    Post a Reply
  2. I lost access to my 2FA authenticator and my backup code, how can I generate a new one or deactivate the 2FA authenticator from my Twitter account

    Post a Reply
    • Dear Maryam, please, contact the Twitter support center (https://help.twitter.com/forms), they’ll create a trouble ticket, verify your identity, and disable the two-factor authentication on your account.

      Post a Reply
      • I have just recently had the same exact problem and was wondering the same thing. HOW LONG does this process take, as I’ve submitted the trouble ticket on Monday and this is now Saturday?

        Post a Reply
        • Dear Larry, I’m not sure because I never faced the same issue myself. It seems like the procedure can take up to a few months. Keep trying to get in touch with Twitter support, this is the only chance to restore access to your account.

          Post a Reply
          • I lost access to my 2FA authenticator and my backup code

        • I deleted two factors authentication code and back up code now I’m trying from three days why not sending New code I have already my registered mobile number

          Post a Reply
      • Hello!

        I lost access to my phone, and I didn’t have a 2FA backup code saved, so I can no longer access my Twitter account. I already contacted them 4 months ago, but haven’t received an answer yet. Do they normally reply to these?

        Post a Reply
      • Hello Anna, I want to disable the 2-factor account, but it doesn’t work. How can I communicate. Please help

        Post a Reply
    • My Twitter account is logged out and Twitter is not sending my two factor authentication code to me, this has been going on for a month or thereabout. What do I do?

      Post a Reply
  3. Anna pls tell me the steps to follow or help me contact them because they are not replying my messages. I want them to help me deactivate the 2FA authenticator from my Twitter account,I have lost access to my 2FA authenticator and backup code because my phone get wiped. Thank you

    Post a Reply
  4. Anna pls kindly tell me the steps to follow or help me contact them because they are not replying my messages. I want them to help me deactivate the 2FA authenticator from my Twitter account,I have lost access to my 2FA authenticator and backup code because my phone get wiped. Thank you

    Post a Reply
    • Dear Maryam, if there’s a slight chance that you’re still logged in to your Twitter account on any other device, try to disable Twitter 2-factor authentication from the settings.

      If not, please, use this link to submit a ticket to the Twitter Help Center,
      https://help.twitter.com/forms/signin?ref=password_reset

      Unfortunately, I’m not sure how long does it take to get the response from Twitter because I never faced the same issue myself. It seems like it can take up to a few months. Be persistent and submit tickets until the support team answers you.

      Post a Reply
  5. Okay, so I have an autheticator app set up on my Mac. But I want to use my iPhone with the iOS version of the authenticator app. How do I an the QR code again without deleting the one I already had set up?

    Post a Reply
    • Hi Eric! Right you are, it’s impossible. You’ll have to re-enroll the token. First of all, disable two-factor authentication, probably you’ll need your token from the authenticator app on the Mac, then delete the token on Mac, and enable two-factor authentication again scanning the QR code with both devices – Mac and iPhone.

      Post a Reply
  6. Hello Anna,
    I lost my phone and with that phone I lost my authenticator app and back up code. I am contacting twitter support from one month, however I have no luck. I know you haven’t faced any such issue, but if you find out something to disable twitter two factor authentication please keep me posted.

    Post a Reply
  7. My Twitter account is logged out and Twitter is not sending my two factor authentication code to me, this has been going on for a month or thereabout. What do I do?

    Post a Reply
  8. Hi,I have logged out my twitter account and do not have any back up code so now i am not able to login my account. how can i get my back up code as i do not have my phone number which i registered with twitter.

    Post a Reply

Leave a Reply to Amirullah Cancel reply

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This