I made a Twitter account to reserve a name and after verifying the number, email address and setting up app / key-based 2FA it was locked without even sending out a single tweet. It even uses the same phone number and email as this account. That's some quality spam detection...
Conversation
All I had to do to get it unlocked was verifying the same number they'd already made me verify twice to set up the account and 2FA. Of course, I disabled SMS 2FA anyway and I'd disable TOTP too if they supported only having U2F / WebAuthn... Twitter should really fix this junk.
Replying to
Trezor Model T support for 2FA has a proper secure recovery mechanism, so having TOTP or SMS as a fallback is silly and defeats a lot of the purpose. Don't even really need the backup codes offered by sites, although those are still a good idea in case they break key-based auth.
1