OK, so am I correct in my assessment that Twitter accounts _cannot_ be secured by TFA alone? You _must_ to have a phone number associated with an account? I thought it was obvious by now that allowing SMS instead of time-synced TFA is a security _hole_, not an improvement?
Exactly - I can't believe this is how it works. TFA should be _completely separate_ from the phone. You can have a TFA key that isn't a phone, or doesn't have a trusted phone number associated with it. And phone SIMS are not secure anyway!