This is an interesting part to me: "[T]he new order[0] adds more provisions to protect consumers in the future: ... Twitter must provide multi-factor authentication options that don’t require people to provide a phone number."

I would like to see this be a more broad-based rule. No, I am not moved by "SMS is easy" or "getting a number that can receive SMS is harder for scammers to do in bulk." If you must, give users the choice but not the obligation to hand over a mobile number.

0 - https://www.ftc.gov/legal-library/browse/cases-proceedings/2...

To further expand on this. 2FA should not rely on SMS at all. It should be an option but not the default one. An Authenticator app should be the default. I know we assume everyone has a cell phone but that’s not the case.

Authenticator apps aren't much better. Look at their privacy policies. Installing Microsoft Authenticator means giving them your location data 24/7 and allows the to collect even more data on you than giving Twitter your phone number did. Do you really think they aren't going to use that data for anything else? I don't believe that anymore than I believed Twitter.

Personally, I'd rather deal with the hassle of carrying around multiple hardware tokens than give companies a continuous stream of data about my personal life to use against me.

There are free, open-source, and privacy-respecting options for TOTP 2FA that don't require a mobile phone plan.

You can use something like KeepassXC (desktop) or something like KeepassDX or Aegis (on F-Droid on Android) for your OTP authentication app to manage 2FA for Google, Amazon, eBay, Dropbox, etc. and there are other options as well.

Just wanted to add emphasis on Aegis. I've been using Aegis for Google, GitLab, PSN, domain management. No issues.

And it has zero permissions needed (aside from camera which is granted on a need basis for scanning qr codes). And also works fine without ever having a Internet connection.