Twitter has supported 2-factor authentication (2FA) via authenticator apps for quite a while already, but it has always required you to add a phone number to your account for recovery and backup purposes. Since tie-ins with phone numbers tend to add an additional security risk thanks to SIM swap attacks, this wasn't the best solution for everyone, and Twitter has heard its safety-conscious users. It is now possible to secure your account with 2FA without adding a phone number at all.
You have three options for two-factor authentication.
I tested the change with my account right away, and it seems to work just as intended. In the Twitter app settings, I could choose between three security options: Text message, authenticator app, or security key. It's possible to activate all three of these at once, but for the purposes of this test, I only activated the authentication app. If you have an application like Authenticator Plus installed, Twitter automatically hands over its code to the app and after verifying the six digits, you're all set. Smooth sailing.
We're also making it easier to secure your account with Two-Factor Authentication. Starting today, you can enroll in 2FA without a phone number. https://t.co/AxVB4QWFA1
— Twitter Safety (@TwitterSafety) November 21, 2019
Unfortunately, deleting the phone number still makes the "Safeguard your account" prompt show up in the feed because adding it would help you regain access to your account should you lose your password. People replying to the Tweet above report similar behavior. Others complain that when they tried to deactivate phone numbers as a second factor, the website and/or app told them that they'd lose 2FA altogether. The change is probably still rolling out, so these hiccups will hopefully disappear over time.
The "Safeguard your account" prompt shows up again after deleting your phone number.
The company also announced that it's replacing the FIDO U2F with the FIDO2 WebAuthn protocol on desktops, which will allow more versatile and stronger "browser-to-hardware-based authentication using devices such as security keys, mobile phones (NFC, BLE)," and biometric factors like TouchID.