Phishing attacks have continued to increase throughout the pandemic, including the July 2020 high profile attacks on prominent X accounts. While these attacks did not directly involve end-user security, it always helps to have reminders to boost safety and protection of our accounts.
While the policy on SMS as a free method of two-factor authentication (2FA) has changed, X does make 2FA configuration straightforward. We often refer to this as two-step login for easy understanding.
This post will walk you through setting up two-step login for your X account using Bitwarden and the built-in Bitwarden Authenticator. Please note that this is a Bitwarden Premium feature. However, far beyond securing X, the extra Bitwarden capabilities of encrypted storage, built-in authentication options, and ability to use physical security keys will provide benefits across your digital lifestyle.
From the X website, choose the three dot ‘More’ menu options on the left hand side. From there choose ‘Setting and Privacy’ and then ‘Security’ and then ‘Two-factor authentication.’
X offers three options for authentication: text message, security key, and an authentication app. Note that as of March 20, 2023, X only offers SMS authentication with a X Premium paid subscription. On that date, SMS authentication was deactivated for any free users who had not updated their authentication method to either an authentication app or a security key. One reason for this change in X policy is that text message is perhaps the least secure option because there are known scenarios where malicious actors can port your phone number to a new SIM card without your knowledge. This is referred to as SIM jacking. We would recommend the two-step login with an authenticator app, and here is where the power of Bitwarden comes into play. We can create a two-step login sequence directly within the Bitwarden application, simplifying the login process, and strengthening our end user security profile.
You will eventually be prompted with a QR code to scan with your authenticator application. Here we can use the Bitwarden authenticator that is included with Bitwarden Premium features.
On your mobile device, with Bitwarden open, and the entry for X in Edit mode, you can capture the Authenticator Key (TOTP) by clicking the camera and capturing the QR code from your web browser.
Save the entry and you will then get the 6-digit token from your Bitwarden application to enter into the X website.
After that you’ll be all set!
Similar to when you set up two-step login on any website, you are often provided with backup codes should you ever lose your original authentication capability. Keeping track of your backup codes is important! You have many options, but one is to place your backup codes into a Secure Note within Bitwarden. This keeps them separate from your Login info, but not so far away that you will misplace them. Of course, some people would recommend that you keep your backup codes in a completely separate place, and that is ok, too. Just keep them in a safe and memorable place.
Once two-factor authentication is configured within X, you will see an option for ‘Backup Codes’.
It is VERY IMPORTANT that you generate and store backup codes in a safe place, separate from your other X login information. You may even want to generate a few codes in a text file (without saving), and then print it out for safe keeping. These backup codes could also be stored within a Secure Note in Bitwarden.
For more information on two-step login, please see our Bitwarden Field Guide for Two-Step Login.
Editor’s note: This article was originally written on July 16th, 2020 and was updated on September 8th, 2023.