Waking up to find out your Twitter account has been hijacked to post antisemitic messages is a pretty crappy way to start your day. That’s why enabling two-factor authentication for your Twitter account is so important. It takes several steps, so follow along to learn how.
Head on over to the Twitter website and login to your account. You can set up two-factor authentication from Twitter’s own iOS app, but not everyone uses that so I’m focusing on the web-based steps. Now do this:
- Click your account avatar in the upper right corner
- Choose Settings and privacy
- Select Account
- If you haven’t already confirmed your email address, enter it in the Email field then click Save changes
- Check your email for Twitter’s confirmation verification message and click Confirm now
- Use the new Twitter webpage that opened in your browser and click your account avatar again so you can choose Settings and privacy > Account
- Check Verify login requests
- Click Start
- Enter your Twitter account password, then click Verify
- Twitter needs to verify your phone number, so click Send code
- Enter the code Twitter sent as a text message to your phone
- Click Get backup code, then save the code someplace safe like 1Password. The backup code lets you login to your Twitter account if your smartphone is lost.
Now any time you login to your Twitter account you’ll need two things: the password you already know, and the one-use code Twitter sends you. That’s how two-factor authentication works. Without both parts your account isn’t accessible, which means hackers can’t break into your account and post embarrassing tweets you’d rather not see.
Twitter’s Two-factor Authentication Workaround
That doesn’t, however, stop hackers from posting through apps that have access to your account. If a bad guy finds a way to hack into a service you’ve linked to your Twitter account they can use that to bypass two-factor authentication and post without your permission.
You can check to see which apps and services have access to your Twitter account by clicking Apps after choosing Settings and privacy. I found Ping was still linked to my account, so it was time for that to go. All I had to do was click Revoke access.
Twitter doesn’t make setting up two-factor authentication particularly easy if your email address isn’t showing as verified. I had to change my address to a different email account, go through the verification process, then change my address back and re-verify again.
Why the reference to antisemitic tweets, you ask? It’s because that’s exactly what happened to some Twitter Counter users. The analytics service was hacked, and people who were using it found some pretty nasty pro-Nazi tweets in Turkish posted in their names—complete with swastikas. That’s why it’s important to limit which apps and services have access to your account Even though you’re using two-factor authentication.