PerezBox

Tony Perez On Security, Business, And Life

  • Security
  • Business
  • Life
  • About
  • Contact
Website Security Information By Tony Perezstandard post icon

How to enable 2FA on Twitter with Authy, Google Authenticator or another Mobile Application

Published in Security on November 29, 2018

It’s been a long time since I have had to enable 2FA on Twitter and found the process completely infuriating. Twitter’s 2FA configuration uses SMS as the default option, this is no longer advised by NIST.

We don’t have to look far to understand why; in the TTP’s leveraged to hijack a customers domain portfolio the weakest link was the attackers ability to hijack a users SIM card (i.e., which would lead to SMS hijacking).

It is recommended you leverage Time-based One-Time Password applications (e.g., Authy, Google Authenticator) for your 2FA needs. Unfortunately, doing this on the Twitter application requires multiple steps. This guide will walk you through the process.

How to Set up 2FA With OTP Applications (e.g., Google Authenticator)

The first thing you need to do is log into your Twitter account and follow these steps:

  1. Click on your Profile picture
  2. Select Settings and privacy
  3. Click Set up login verification

 

To start the process you’re going to need to provide them a Phone number. This phone number will be used to start the verification process. Here is what you can expect on the journey:

  • They will verify this is what you want to do:

  • You will need to provide your account password:

  • It will confirm the number to use, based on your initial account set up:

  • You will verify the code, and the application will provide an option to get a backup code. Always recommend saving the backup code to your password manager for save keeping.

  • After saving the backup code, you’ll click Done and land and see a change in the security and privacy page:

  • Click on Review your login verification methods and you’ll be presented with a rich options table

Select the Mobile Security App option, follow the prompts until you get the QR code:

  • Use your favorite mobile authentication app and scan the code. Do not forget to VERIFY the code inside of Twitter, it does not activate until verified.

  • Lastly, do not forget to disable SMS 2FA authentication. If you leave SMS enabled it’ll work in tandem with your authentication application. To do this, on your security and privacy page click edit and select the OFF option

  • Done!

Security can never trump Convenience

As a technologist this entire experience infuriates me, this type of design is way too convoluted for the everyday user. It’s difficult enough to get consumers to understand and appreciate the importance of security without these challenging designs. It’s incumbent on us as product owners to pay more focus on these types of experiences if we truly want to have positive impact on the adoption of these controls.

Category: Security Topics: End User Security, Security Tools And Technology

About Tony Perez

One of CleanBrowsing and NOC.org Founders. Formerly GoDaddy's General Manager (GM) for the Security Product Group. Responsible for the Sucuri brand, Certificate Authority (CA), Content Distribution Network (CDN), Website Application Firewall (WAF), Website Backups, Monitoring, and Incident Response products and services. The former CEO / Co-Founder of Sucuri and US Marine.

You can follow me on Twitter at @perezbox.

Tony Perez CEO Sucuri

About Tony Perez

I've spent the better part of the past 15 years dabbling in various technical industries, and these days my focus is website security and business. This blog, regardless of topic is a chronicle of my thoughts and life as I navigate those things that interest me the most.

  • Facebook
  • Twitter
  • LinkedIn
How To Block Porn

Search

Recent Posts On Security

Three Things that DNS Outages Teach Administrator

NOC Introduces a CDN. Yes, a CDN.

Feelings Have No Place in the World of Security

Unleashing the Power of Authoritative DNS

Content Filtering with CleanBrowsing

View All Security Posts

Security Posts By Topic

  • Desktop And Operating System Security
  • Drupal Security
  • End User Security
  • Intrusion Detection System (IDS)
  • Joomla Security
  • Log Management
  • OSSEC
  • Passwords And Identity Management
  • Security Tools And Technology
  • Speaking And Media
  • Vulnerabilities And Malware
  • Web Application Firewall
  • Web Hosting And Web Servers
  • Web And Information Security
  • WordPress Security
  • WordPress Plugins

Like what I have to say?

Subscribe to hear more...

I don't always have something to say, but when I do I will aim to make it insightful. Subscribe to hear my thoughts as I make them available.

PerezBox

  • Facebook
  • Twitter
  • LinkedIn

Copyright © 2022 Tony Perez, PerezBox. All Rights Reserved | Security | Privacy