It’s been a long time since I have had to enable 2FA on Twitter and found the process completely infuriating. Twitter’s 2FA configuration uses SMS as the default option, this is no longer advised by NIST.
We don’t have to look far to understand why; in the TTP’s leveraged to hijack a customers domain portfolio the weakest link was the attackers ability to hijack a users SIM card (i.e., which would lead to SMS hijacking).
It is recommended you leverage Time-based One-Time Password applications (e.g., Authy, Google Authenticator) for your 2FA needs. Unfortunately, doing this on the Twitter application requires multiple steps. This guide will walk you through the process.
How to Set up 2FA With OTP Applications (e.g., Google Authenticator)
The first thing you need to do is log into your Twitter account and follow these steps:
- Click on your Profile picture
- Select Settings and privacy
- Click Set up login verification
To start the process you’re going to need to provide them a Phone number. This phone number will be used to start the verification process. Here is what you can expect on the journey:
- They will verify this is what you want to do:
- You will need to provide your account password:
- It will confirm the number to use, based on your initial account set up:
- You will verify the code, and the application will provide an option to get a backup code. Always recommend saving the backup code to your password manager for save keeping.
- After saving the backup code, you’ll click Done and land and see a change in the security and privacy page:
- Click on Review your login verification methods and you’ll be presented with a rich options table
Select the Mobile Security App option, follow the prompts until you get the QR code:
- Use your favorite mobile authentication app and scan the code. Do not forget to VERIFY the code inside of Twitter, it does not activate until verified.
- Lastly, do not forget to disable SMS 2FA authentication. If you leave SMS enabled it’ll work in tandem with your authentication application. To do this, on your security and privacy page click edit and select the OFF option
Security can never trump Convenience
As a technologist this entire experience infuriates me, this type of design is way too convoluted for the everyday user. It’s difficult enough to get consumers to understand and appreciate the importance of security without these challenging designs. It’s incumbent on us as product owners to pay more focus on these types of experiences if we truly want to have positive impact on the adoption of these controls.