How to turn on two-factor authentication for twitter

Chris Hoffman is Editor-in-Chief of How-To Geek. He’s written about technology for over a decade and was a PCWorld columnist for two years. Chris has written for The New York Times, been interviewed as a technology expert on TV stations like Miami’s NBC 6, and had his work covered by news outlets like the BBC. Since 2011, Chris has written over 2,000 articles that have been read nearly one billion times—and that’s just here at How-To Geek. Read more.

How to turn on two-factor authentication for twitter

Two-factor authentication systems aren’t as foolproof as they seem. An attacker doesn’t actually need your physical authentication token if they can trick your phone company or the secure service itself into letting them in.

Additional authentication is always helpful. Although nothing offers that perfect security we all want, using two-factor authentication puts up more obstacles to attackers who want your stuff.

Your Phone Company is a Weak Link

The two-step authentication systems on many websites work by sending a message to your phone via SMS when someone tries to log in. Even if you use a dedicated app on your phone to generate codes, there’s a good chance your service of choice offers to let people log in by sending an SMS code to your phone. Or, the service may allow you to remove the two-factor authentication protection from your account after confirming you have access to a phone number you configured as a recovery phone number.

This all sounds fine. You have your cell phone, and it has a phone number. It has a physical SIM card inside it that ties it to that phone number with your cell phone provider. It all seems very physical. But, sadly, your phone number isn’t as secure as you think.

If you’ve ever needed to move an existing phone number to a new SIM card after losing your phone or just getting a new one, you’ll know what you can often do it entirely over the phone — or perhaps even online. All an attacker has to do is call your cell phone company’s customer service department and pretend to be you. They’ll need to know what your phone number is and know some personal details about you. These are the kinds of details — for example, credit card number, last four digits of an SSN, and others — that regularly leak in big databases and are used for identity theft. The attacker can try to get your phone number moved to their phone.

There are even easier ways. Or, For example, they can get call forwarding set up on the phone company’s end so that incoming voice calls are forwarded to their phone and don’t reach yours.

Heck, an attacker might not need access to your full phone number. They could gain access to your voice mail, try to log in to websites at 3 a.m., and then grab the verification codes from your voice mailbox. How secure is your phone company’s voice mail system, exactly? How secure is your voice mail PIN — have you even set one? Not everyone has! And, if you have, how much effort would it take for an attacker to get your voice mail PIN reset by calling your phone company?

How to turn on two-factor authentication for twitter

With Your Phone Number, It’s All Over

Your phone number becomes the weak link, allowing your attacker to remove two-step verification from your account — or receive two-step verification codes — via SMS or voice calls. By the time you realize something is wrong, they can have access to those accounts.

This is a problem for practically every service. Online services don’t want people to lose access to their accounts, so they generally allow you to bypass and remove that two-factor authentication with your phone number. This helps if you’ve had to reset your phone or get a new one and you’ve lost your two-factor authentication codes — but you still have your phone number.

Theoretically, there’s supposed to be a lot of protection here. In reality, you’re dealing with the customer service people at cellular service providers. These systems are often set up for efficiency, and a customer service employee may overlook some of the safeguards faced with a customer who seems angry, impatient, and has what seems like enough information. Your phone company and its customer service department are a weak link in your security.

Protecting your phone number is hard. Realistically, cellular phone companies should provide more safeguards to make this less risky. In reality, you probably want to do something on your own instead of waiting for big corporations to fix their customer service procedures. Some services may allow you to disable recovery or reset via phone numbers and warn against it profusely — but, if it’s a mission-critical system, you may want to choose more secure reset procedures like reset codes you can lock in a bank vault in case you ever need them.

How to turn on two-factor authentication for twitter

Other Reset Procedures

It’s not just about your phone number, either. Many services allow you to remove that two-factor authentication in other ways if you claim you’ve lost the code and need to log in. As long as you know enough personal details about the account, you may be able to get in.

Try it yourself — go to the service you’ve secured with two-factor authentication and pretend you’ve lost the code. See what it takes to get in. You may have to provide personal details or answer insecure “security questions” in the worst case scenario. It depends on how the service is configured. You may be able to reset it by emailing a link to another email account, in which case that email account may become a weak link. In an ideal situation, you may just need access to a phone number or recovery codes — and, as we’ve seen, the phone number part is a weak link.

Here’s something else scary: It’s not just about bypassing two-step verification. An attacker could try similar tricks to bypass your password entirely. This can work because online services want to ensure people can regain access to their accounts, even if they lose their passwords.

For example, take a look at the Google Account Recovery system. This is a last-ditch option for recovering your account. If you claim to not know any passwords, you’ll eventually be asked for information about your account like when you created it and who you frequently email. An attacker who knows enough about you could theoretically use password-reset procedures like these to get access to your accounts.

We’ve never heard of Google’s Account Recovery process being abused, but Google isn’t the only company with tools like this. They can’t all be entirely foolproof, especially if an attacker knows enough about you.

How to turn on two-factor authentication for twitter

Whatever the problems, an account with two-step verification set up will always be more secure than the same account without two-step verification. But two-factor authentication is no silver bullet, as we’ve seen with attacks that abuse the biggest weak link: your phone company.

How to turn on two-factor authentication for twitter

* This post is part of iPhone Life‘s Tip of the Day newsletter. Sign Up. *

I recently wrote an article on how to turn on Two-Factor Authentication on your iPhone for better security. Apple introduced this feature in iOS 10 And then, with the release of iOS 11, iPhone users were automatically upgraded from Apple’s less secure Two-Step Verification feature. Apple ID Two-Factor Authentication requires the use of multiple devices. For example, if you get a new iPhone, when you log into your Apple ID account for the first time, you’ll need to use your Mac, iPad, or old iPhone to receive a six digit Apple verification code to confirm that it’s you logging in and not some stranger trying to access your account on a random device. This is important since your Apple ID is used for everything from storing personal photos to making purchases with your credit card. However, if you don’t feel the need to use this feature, you can use this tip to turn Two-Factor Authentication off. Be careful though, your Apple ID account wil be significantly less secure and you may not be able to use Apple Pay Cash and other Apple features when you turn off Two-Factor Authentication.

How to Turn Off Two-Factor Authentication

You’ll need to access a computer and open a browser, then visit appleid.apple.com.

Log in to your Apple ID account.

Of course, you’ll need to use Two-Factor Authentication to log in. Once you’ve entered the Apple ID verification code, you’ll be in your account settings.

How to turn on two-factor authentication for twitter

Locate the Security section under the Account section and tap Edit.

Tap Turn Off Two-Factor Authentication.

How to turn on two-factor authentication for twitter

Confirm Turn Off Two-Factor Authentication.

You’ll be prompted to create security questions.

How to turn on two-factor authentication for twitter

Then it will ask you to Complete Your Security Information.

An email will be sent to the backup email you provide. Open the email and enter the code you received.

How to turn on two-factor authentication for twitter

It will then confirm that Two-Factor Authentication has been turned off.