Sophos Cloud Optix
Twitter has added the ability to authenticate to the service using hardware tokens such as Yubico’s YubiKey.
Announced towards the end of a blog on the company’s efforts to deter spam and malicious bots, it marks a convenient step up in security for Twitter users who might already be using this type of security with other services.
The company introduced SMS-based Login Verification almost five years ago, but since then, it’s been slow to move with the times. What’s more, it’s been accepted for some time that SMS authentication is less than secure in number of different ways – it is vulnerable via the mobile app, through attacking the network, or through SIM swap fraud.
Six months ago, some time after this feature was enabled by other internet brands such as Google and Facebook, Login Verification became possible on Twitter through the use of third-party apps such as Google Authenticator, Duo Mobile, or Authy.
That has now been extended to FIDO Universal 2nd Factor (U2F) security keys. Using one makes it much harder to hack an account even when an attacker has got hold of the username and password because they also require physical possession of the token too.
You’ll find the Twitter setting to turn this on by visiting Settings and privacy > Account > Review your login verification methods > Login Verification.
When we tried this on an account on without any method of verification in place, it asked us to enable SMS verification to the registered mobile number first, after confirming our password. With that step complete, the options to use an authentication app or enrol a token appeared.
This is an authentication check on the act of setting even stronger authentication, presumably to avoid attackers breaking into accounts and locking people out completely.
It’s worth saving a backup code to guard against the possibility of losing the key or not having access to the mobile authenticator app. You can print out a list of codes for safe keeping. Also, note that enabling Login Verification will require using a one-off temporary password on other desktop computers or apps – your usual username and password won’t work.
Explains Twitter’s Login Verification guide:
For example, if you enabled login verification in your account settings on the web and need to login to the Twitter for Mac app, you will need to use a temporary password to do so.
I set up authentication through Chrome without any problems, however the U2F key enrolment refused to complete on Firefox. I’m unsure why this happened (Firefox supports U2F authentication). I have sought clarification on this from Twitter – along with further detail on how mobile devices will support Twitter hardware authentication when those tokens lack NFC support. I will update this article if and when I hear back.
Twitter is also not forthcoming about how many of its users have bothered to turn authentication on in any form. If Google is anything to go by, very few.
That’s a huge shame. Authentication is an excellent, cheap security upgrade that everyone should use.