Twitter recently fixed their 2-factor authentication, allowing you to remove SMS (text) from the authentication methods. And you should take them up on the offer immediately. All it took was the Twitter CEO getting hacked by a SIM-swap attack.
Before you read on, I encourage you to head over to your Twitter Two-Factor Authentication screen and disable “Text message” as a method (relying on your TOTP application and your Security key).
OK, back? This is not just about Twitter. Yes I think it was a mistake to force SMS in the list as they used to do… but Twitter was, and is, still more secure than most sites out there which have *NO 2-Factor Authentication* at all. Your bank?
If its worth having a login, its worth having 2-factor: something you know, and something you have. In an ideal world you login with OpenID Connect (OAUTH2) so the application has *no password*, nothing to breach.
Now, I know you. You are saying “It’s only Twitter, what harm can there be?”. Well, in today’s world, a hacker could cause World War III via Twitter. In an era where a US president makes policy proclamations via Twitter, and can cause the stock of Boeing to drop with 140 characters or less, yes, a false tweet from someone could cause a war. The morale of this is… the damage can always be worse than you think.
SMS is not secure. It was not designed to be. Remove it from your 2-factor authentication list now. Everywhere. Its better than nothing, but we deserve better than that.