Twitter has made a significant change to the way users login to their accounts, adding support for hardware security keys as a second factor. The change is a major upgrade over the SMS-based two-step verification that Twitter has had in place for several years.
Last year, Twitter added support for third-party authentication apps, including Duo Mobile, and Google Authenticator. Those apps allow users to generate one-time passcodes in the case of Authenticator, or approve a login with a tap in the case of Duo Mobile. These options are considered much more secure channels than SMS, which can be subject to interception or spoofing in various forms. Attackers are fond of sending texts to broad swaths of mobile numbers with messages and links that look like login requests but lead to phishing sites.
Two-step verification over SMS is better than a username and password alone, but not nearly as resistant to attack as authenticator and 2FA apps are. Hardware security keys such as YubiKeys are a serious step up from SMS-based 2FA, too. Instead of entering a one-time password or a short code sent via text, a user logging into her Twitter account would insert a security key into a USB port on her computer and then tap the button on the key to approve the login.
There are a couple of limitations to the use of hardware keys for Twitter authentication. For one, users must have either an authentication app such as Duo Mobile attached to their account or have text two-step verification set up. Twitter does not allow people to use hardware keys alone for 2FA. Also, right now it appears that a given account can only have one hardware security key associated with it, making it difficult for people with shared accounts to take advantage of the option.
Twitter’s decision to add support for hardware security keys comes about a month after Yubico, the maker of YubiKeys, released a software development kit (SDK) that allows developers to add support for YubiKeys to their iOS apps. And many other popular services, such as Facebook, have had support for hardware security keys for some time.
Outside of perhaps bank and email accounts, social media accounts are probably the most valuable targets for attackers. Gaining access to a victim’s Facebook or Twitter account can give an attacker a direct conduit into the rect of the victim’s online life, and the addition of hardware-based 2FA makes an attacker’s job that much more difficult.