Shaky Twitter Two-Factor Authentication Interaction

Martin Fowler: 18 Feb 2023

Accessing Twitter this morning, I was greeted with a prompt saying that they were getting rid of text messages as a form of two-factor authentication unless you subscribed to Twitter Blue. I thought “fine”, because I don’t use text messages for that, preferring a one-time code managed by 1Password. I clicked through and it told me it had removed the text message two-factor that I didn’t have, and would I like to set up something using a one-time code or hardware dongle? It seems that Twitter had mistakenly deleted my one-time code link.

I don’t think this is a huge deal, as I just set up another one-time code. But it’s the sort of thing that reinforces the impression that bits are steadily falling off Twitter.

Whatever anyone thinks of this, I do urge readers to use two-factor authentication on any important service. While SMS two-factor authentication is better than none at all, it does suffer from some significant vulnerabilities. The better way to do two-factor authentication is to use one-time codes, which are generated by an program that supports them. I use 1Password for this, but there are other alternatives. Twitter currently supports one-time codes without needing to subscribe to Twitter Blue.