In this age of data breaches and keylogging malware, passwords might not be enough to secure your accounts. That's where two-factor authentication (2FA) comes into play. These single-use codes can keep your data safe, but not all services support 2FA in the standard way. Case in point, Twitter sends a text message for 2FA codes even after you set up an authentication app. So annoying, but you can finally turn SMS off.
We’re rolling out an update to login verification.
You’ll now be able to use a third party app for two-factor authentication instead of SMS text messages.https://t.co/UXl3xKLEaG
— Twitter Safety (@TwitterSafety) December 20, 2017
Setting up 2FA on Twitter is still a bit dumb, even with this change. Twitter added support for 2FA apps earlier this year, so you might already have Twitter in Google Authenticator or Authy. Twitter still sends an SMS for every login attempt with the default settings. You can disable that for your existing 2FA, but you need to re-authenticate your app in the Twitter account settings. It's basically like configuring 2FA all over again.
If you never configured 2FA, you need to do the initial setup with a phone number and SMS. Then, you can configure your preferred authentication app. In either case, you can now disable SMS via the text message setting in your "Login verification" menu. Make sure you get the backup code and keep it in a safe place in the event you lose your phone. Without SMS, you can only generate new codes from your authentication app.