Twitter account security and privacy 101

Someone asked me to write an easy to understand post on how to secure your Twitter account. Because I think a step by step guide could be useful to many people I wrote this post.

I'm not too much of a fan of linking my phone number to accounts, but unfortunately Twitter still leaves us no choice if we want to enable two-factor authentication (2FA). Go to the following settings page.

Once you've done so and press the "Continue" button you must enter the code you received via SMS in "Verification code" field.

Click activate phone and your phone number is now linked to your account. The next step is configuring 2FA.

Secure your account

First of all make sure that you have a real strong and unique password for your Twitter account. If that's not the case change it immediately here.

The next thing you need to do is configuring 2FA for your account via this page

By the way, check the "require personal information to reset your password" as it's not checked by default.

But more important to setup 2FA, click on the "Set up login verification" button. You will need to confirm your phone number.

Press the "Send code" button, enter the received code and press "Submit".

After you've submitted the code you get the following pop-up

Make sure to get the backup code and store it securely. This code (that can only be used once) will give you access to your account whenever you're not able to receive the code via SMS (or any other verification medium).

Ok, now you've setup 2FA with SMS as login verification.

SMS based 2FA is the weakest form of 2FA offered by Twitter, so we should setup a better way of login verification. Click the "Review your login verification methods".

You know see that "Text message" is the only one that's enabled.

If you have a security key (this is a physical key, for instance YubiKey), you can activate that one. It's the most secure option but it also costs a bit of money. If you don't have a security key you can use an authenticator app. If you don't have an authenticator app installed on your smart phone you need to do that first. I recommend you to install Authy, it's free and available for Android and iOS and it's very solid. Once you have the app installed set up the "Mobile security app".

You need to scan the QR code.

After you've scanned the code, Authy or any other authenticator app you use, will ask you to save an account for Twitter. To finish the setup you need to enter the code provided by the authenticator.

Now your login verification settings should look like this.

One more thing to do, cause you activated 2FA either via Security key or Mobile security app there's no need for 2FA via text message any more. When you press the edit button behind "Text message" you can switch it off easily. After you've done that it looks like this.

From now on you need to enter your verification code at login.

Check connected Apps and Devices

Another risk that's often overlooked are apps that are connected to your Twitter account. Review which apps are connected and which rights they have. If you don't use these apps anymore revoke their access. Also when apps you use have excessive permissions, consider revoking access, unless you really need them and there are no less intrusive alternatives

Privacy settings

Likely important as security settings are the privacy settings. I'd recommend you to not add a location to your tweets and switch off discoverability by phone and email. Another one I'd recommend you to switch off is "Personalisation and data". This personalisation is nothing more than Twitter tracking you, sharing data with partners and customizing ads based on your tweets and behavior.

Be careful what you post on Twitter

Not only security and privacy settings are important. Always be careful what you post on Twitter. This is a golden rule for all social media by the way. All pieces of personal information can be potentially tied together by miscreants and used in attacks against yourself, your company or organization.

I hope these tips are useful, and let me know if you have more tips to improve Twitter account security

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life