Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially-engineered T-mobile itself to take over my phone number).

Main learning re twitter was:

> A phone number is sufficient to password reset a Twitter account even if not used as 2FA. Can completely remove phone from Twitter.

I had seen the "phone numbers are insecure, don't authenticate with them" advice before, but did not realize this

https://twitter.com/settings/account/login_verification

'Authentication app' or 'Security key' should be the only 2 options there. So far have had no troubles with using my 2fa app.

The issue is no good way to do account recovery for low value accounts at scale and no separation of high value accounts from low value accounts at services like twitter.

Cypherpunk, CSO at Evertas, Puerto Rico resident, helping out with security at Truth Social and Waev Protocol, owner of gun store in Pahrump (FFL/SOT).

this 

as much as i'd like to get rid of phone verification entirely, there's a whole class of people who will then just opt to have no recovery, which is worse

Technowatermelon. Elder Millenial. Building Farcaster. 

nf.td/varun

I’ve thought about doing a startup in this space but it isn’t super fun.