The X 2FA Situation, Explained
X (formerly Twitter) made news by restricting SMS based 2FA to paying Premium subscribers. A lot of users read that as "2FA now costs money" and turned it off entirely. That's the wrong takeaway. The two methods that remain free, authenticator apps and security keys, are both more secure than SMS ever was. If X's change pushed you off SMS codes, it accidentally did you a favor.
How to Enable Authenticator App 2FA on X
- Open X and go to Settings and privacy (under More on desktop, or through your profile icon in the app).
- Select Security and account access → Security.
- Tap Two-factor authentication.
- Check Authentication app.
- Confirm your password, then X shows a QR code.
- Scan it with Google Authenticator, Authy, Microsoft Authenticator, or any TOTP app.
- Enter the six digit code from the app to confirm.
That's it. Every future login on a new device asks for your password plus the current code. The QR code you scanned is a standard otpauth link containing a Base32 secret; you can inspect any 2FA QR with our QR decoder and generate codes from a secret with our free online 2FA generator.
Grab Your Backup Code Before You Leave
During setup, X shows you a single use backup code. Store it in your password manager right away. You can generate a new one any time from the Two-factor authentication page. If your phone dies or your authenticator app is lost, this code is your way back in. We cover storage strategies in our backup codes guide.
Security Keys: The Upgrade for High Profile Accounts
X supports hardware security keys (FIDO2/WebAuthn) as a free 2FA method, and even lets you make keys your only method, removing weaker fallbacks entirely.
- In the Two-factor authentication settings, check Security key.
- Insert or tap your key (USB or NFC) when prompted.
- Name the key and save.
A hardware key can't be phished: it validates the real x.com domain cryptographically before answering. Journalists, brands, and anyone whose account moves markets should be on keys. New to the topic? Our hardware key guide and FIDO2 explainer cover the details, and you can check your device compatibility with our passkey tester.
If You Were Using SMS 2FA Before
When X disabled SMS 2FA for non subscribers, accounts that had it simply lost the protection. Check your status now:
- Go to Security → Two-factor authentication.
- If nothing is checked, your account is running on password alone. Fix that today with the authenticator method above.
- While you're there, review Additional password protection, which requires extra verification for password resets.
High profile X account takeovers have moved crypto prices and spread fake headlines within minutes. The account doesn't have to be famous to be dangerous in the wrong hands, it just has to be trusted by its followers.
Round Out Your X Account Security
- Check connected apps (Settings → Security and account access → Apps and sessions). Old third party apps with write access are a quiet risk. Revoke anything you don't use.
- Review active sessions and log out unfamiliar devices.
- Use a unique password. If your X password is reused anywhere, rotate it with our password generator.
- Confirm your email is current, since account recovery flows through it.
Frequently Asked Questions
Is 2FA on X really free?
Yes. Only the SMS method requires Premium. Authenticator apps and hardware security keys are free for everyone, and both are stronger than SMS.
Why did X paywall SMS 2FA?
X cited the cost of SMS delivery and fraud (SMS pumping schemes that generate fake verification traffic). Whatever the motive, the security community's consensus is that authenticator apps were always the better method. Our post on SMS 2FA weaknesses explains why.
Can I use 2FA on multiple X accounts?
Yes. Each account has its own 2FA setting and its own entry in your authenticator app. Repeat the setup per account.
I lost my authenticator and my backup code. Now what?
Try logging in and follow the "Lost access" links, which lead to X's account recovery form. You'll need access to the email or phone number on the account, and the process can take days. There's no guarantee, which is why the backup code exists.
Does 2FA stop my account from being suspended or impersonated?
No, 2FA only controls logins. Impersonation and platform moderation are separate issues. What 2FA does is make sure the tweets coming from your handle are actually yours.