So if you care about your security, you need to avoid letting anyone use your phone for two-factor authentication or otherwise plan to be fine when this happens.
Clarifications:
This is specifically phone numbers, right? i.e. authenticator apps should be fine.
But it sounds like twitter specifically will let you reset your password using your phone number, even if you use some other form of 2fa. So really, twitter uses phone numbers for 1fa.
I wonder how many other places do that. In my head, the standard experience of enabling 2fa is that I get a bunch of recovery codes that I need to copy somewhere safe (which admittedly, in practice is often “the same place as I save my password to”).
I’d expect that if I want to reset my password I use those, and my phone number isn’t sufficient. Which should also mean that even if I use my phone number for 2fa and someone hijacks it, they won’t have access to my account unless they also manage to steal my password. But I’ve never tested this.
Clarifications:
This is specifically phone numbers, right? i.e. authenticator apps should be fine.
But it sounds like twitter specifically will let you reset your password using your phone number, even if you use some other form of 2fa. So really, twitter uses phone numbers for 1fa.
I wonder how many other places do that. In my head, the standard experience of enabling 2fa is that I get a bunch of recovery codes that I need to copy somewhere safe (which admittedly, in practice is often “the same place as I save my password to”).
I’d expect that if I want to reset my password I use those, and my phone number isn’t sufficient. Which should also mean that even if I use my phone number for 2fa and someone hijacks it, they won’t have access to my account unless they also manage to steal my password. But I’ve never tested this.