Remove phone number from 2FA

  • Unknown's avatar
    pitawat · Member ·

    I have long enabled 2FA on my WordPress.com account which Authenticator app was my main method of getting the code.

    Now I have added 3 security keys to my account, and I would like to remove my phone number or at least disallow the ‘Send code via text message’ option when logging in. I would like my account to be able to login with either security key or codes from authenticator app only (with backup codes still effective of course).

    As many of us are aware that getting OTP codes via SMS is the least secure option when using 2FA and shouldn’t be used when we have better options like security keys or authenticator apps.

    I couldn’t find a way to remove my phone number from my account. I have browsed through this link https://wordpress.com/me/security and found no option to remove phone number. The ‘Recovery SMS Number’ section has a yellow exclamation mark and says ‘You do not have a recovery SMS number’.

    Thank you.

    WP.com: Yes
    Jetpack: No
    Correct account: Yes

    The blog I need help with is: (visible only to moderators and staff)

  • aleone89 · Staff ·

    Hello there,

    Many thanks for reaching out.

    Now I have added 3 security keys to my account, and I would like to remove my phone number or at least disallow the ‘Send code via text message’ option when logging in. 

     The ‘Recovery SMS Number’ section has a yellow exclamation mark and says ‘You do not have a recovery SMS number’.

    I can see that two step is enabled, but a phone number is not specified.

    Are you getting a prompt to use a phone number when signing in?

  • Unknown's avatar
    pitawat · Member ·

    Hi, thanks for your reply.

    Yes, when I input my username and password, it provides options to continue with security key, authenticator app, or text message.

    This means that even though I have enabled the most secure option (security key), I am still vulnerable to SMS hijacking technique. My goal is to have my account able to login with security key and authenticator app only, the login page must not allow sending code via SMS. Is this possible?

    Please see my screenshot here https://imgur.com/a/0u1nGZh

    Thanks.

  • aleone89 · Staff ·

    Hello there,

    Many thanks for the screenshot. Currently, your account isn’t set up to use 2FA via SMS currently.

    Universally, it wouldn’t be possible to disable sending a code via SMS.

  • The topic ‘Remove phone number from 2FA’ is closed to new replies.