Enabling two-factor authentication (2FA) for your Twitter account is a good idea, but handing your phone number over to Twitter gives many pause for thought. It's also not the most secure method of protecting your account, especially when Twitter CEO Jack Dorsey recently had his account hacked via his cellular provider. As TechCrunch reports, it's now possible to enable 2FA on Twitter without a phone number. This has been made possible thanks to Twitter updating its login process to support the FIDO2 WebAuthn web authentication standard, which is approved by the World Wide Web Consortium (W3C).
WebAuthn allows support on the user side to be implemented in a number of different ways, purely in software, and without need of a password. Instead a code entry is required or a security key used. In Twitter's case, WebAuthn will initially only work with physical security key authenticators, such as those offered by Yubico. Security key authentication still requires the use of a text message or authentication app, but only for setup meaning you can bypass the need to share your phone number by using the authentication app method. Supported web browsers include the latest version of Chrome, Edge, Firefox, Opera, and Safari.
In the future, Twitter is expected to add support for other WebAuthn options, but for now it's just physical security keys.