Security keys now the mandatory 2FA method for Twitter employees

News / Security keys now the mandatory 2FA method for Twitter employees

Security keys now the mandatory 2FA method for Twitter employees

Since June, Twitter has been enrolling each of their employees’ accounts to mandatory usage of its two-factor authentication (2FA) method of security keys. 

This comes after last year’s hack at the social media company in which attackers seized control of dozens of high-profile accounts after a phone spear-phishing attack caused Twitter employee login details to be stolen. 

Accounts involved included Bill Gates, Elon Musk, Kanye West, Apple and Uber, as the hackers ran a cryptocurrency scam claiming to be giving away significant amounts of Bitcoin.  

A 17-year-old later pleaded guilty to fraud after coordinating the hack, selling access to the accounts, and then later running the cryptocurrency scam. 

In response to the hack, Twitter have decided to alter their security protocols internally, making the use of security keys compulsory for all their staff. 

"Over the past year, we've accelerated efforts to increase the use of security keys to prevent phishing attacks," they said in a post on their blog. 

"We've also implemented security keys internally across our workforce to help prevent security incidents like the one Twitter suffered last year." 

All Twitter employees have now been migrated to using security keys as their 2FA method from legacy options of SMS or authenticator apps. 

Why is the emphasis on security keys? 

Twitter, like many companies in the last few years, have continuously developed their 2FA offering to try and improve security. Security keys were always suggested as the primary 2FA method.  

According to Twitter, their security keys use the FIDO and WebAuthn security standards to provide ‘phishing-resistant’ 2FA.  

“Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not,” said Twitter. 

Security keys were first added as a web-only option in 2018 but support was later increased in December 2020 when they became available to use on mobile apps too.  

In March, Twitter added support for using multiple security keys and, since July, security keys can now be used as the sole 2FA method with all other login methods disabled. 

Widespread adoption of 2FA still yet to be seen 

The July 2020 Twitter hack saw the hijacking of high-profile Twitter accounts despite having 2FA enabled. However, this occurred after criminals gained access to the company’s internal systems and was a highly sophisticated attack. The majority of attempts to gain access to accounts are likely to be foiled by most 2FA methods. 

Despite this, adoption rates of 2FA are still very low. Between July and December 2020, Twitter revealed only 2.3 percent of active accounts had enabled any 2FA methods.  

Of these 2.3 percent, 79.6 used SMS-based 2FA, 30.9 percent used an authentication app and only 0.5 percent adopted security key 2FA. 

Back when Twitter released these figures in July, one security professional tasked with large-scale 2FA deployment was damning of its current state. 

“Where do you want me to start?” they told Security Week. “The user experience to set up MFA (multi-factor authentication) is a disaster. It’s a bigger disaster because everyone does it differently and there is no standard to anything. You can’t use lessons learned from one deployment to the next. It’s just messy.” 

2FA remains an important security measure online and you should still ensure you have it enabled wherever possible. Google have taken the decision to auto-enroll millions of their users to have 2FA on their accounts. You can read more about 2FA here.

How secure is

your business?

Security test
How secure is

your business?

Security test