Twitter Adds Another Way to Protect Accounts From Unauthorized Users

Twitter this week announced it had added the option to use physical security keys for people to use as their only form of two-factor authentication, an extra layer of protecting their accounts from hackers. Physical security keys typically plug into the USB drive of a computer or connect to a mobile device through Bluetooth or a near-field communication (NFC) chip.

“Security keys offer the strongest protection for your Twitter account because they have built-in protections to ensure that even if a key is used on a phishing site, the information shared can’t be used to access your account,” Andy Sayler, senior security engineer at Twitter, wrote in a blog post.

Security keys use FIDO and WebAuthn security standards, and can tell the difference between legitimate sites and malicious ones while block phishing attempts that SMS or verification codes would not, he said.

Twitter’s extra layer of protection comes as cyberattacks on companies and government agencies make headlines. A ransomware attack in May temporarily shut down the Colonial Pipeline, the biggest pipeline system for refined oil products in the U.S., leading to gasoline shortages in several states. The same month, meat supplier JBS was targeted in a ransomware attack that disrupted the food supply.

Twitter last year fell victim to an attack by hackers who took control of high-profile accounts, including those belonging to Joe Biden, Kim Kardashian West, Uber and Apple. Hackers duped several Twitter employees into giving up their login credentials to a phishing site.

The company over the years has taken steps to urge people to use some kind of two-factor authentication, Sayler said in the blog. The company in 2018 added the option to use security keys, but only on the Twitter.com website, not the mobile app, and required accounts to have another form of two-factor authentication.

In 2019, Twitter upgraded our security key support to use the latest WebAuthn standard. It also enabled two-factor authentication on a Twitter account without requiring a phone number, letting people protect their accounts from SIM-swapping attacks. Last year, Twitter added support for security keys on iOS and Android devices.

Twitter this year began letting users register multiple security keys on their Twitter accounts. That step lets users have backup security keys, and made it easier for accounts managed by multiple people to enable two-factor authentication with multiple security keys.

People who don’t want to share their phone numbers with Twitter or don’t have a backup method of two-factor authentication can instead use security keys as their sole method to protect their accounts, Sayler said.