[noscrewstoyous]

You shouldn’t use a phone number for 2fa to begin with, you’d be better off without 2fa if that’s the only option IMO (assuming you’re using a strong unique password). This is just more fuel on that fire.

[diabeetusman]

2FA with SMS protects against password reuse or leaks. It's my understanding that SMS is weak against attacks targeted at particular people while being sufficiently strong for the majority of cases.

[thephyber]

SS7 attacks scale better. SIM cloning is a lot of effort just to compromise a single SMS number.

In general, SMS is better than no 2FA, but it's weaker than OTP/OTH or a token like YubiKey or Titan.

[geofft]

Not sure I follow "You'd be better off without 2FA" (unless you're counting the use of the number for advertising) - it's weak, but it doesn't introduce additional vulnerabilities.

And IIRC at the time Twitter didn't offer any other 2FA mechanisms.

[noscrewstoyous]

it’s a false sense of security

[VibrantClarity]

Twitter didn't give me a choice when I made an account, it forced me to give them an email and a phone number.

[t-writescode]

Wouldn’t a phone-based 2FA also give you the knowledge that someone’s trying to log in? Can the SMS message somehow not be sent to all users on the network with your phone number?

[moscovium]

Remember when Jack Dorsey had his SIM attacked for the 2fa?