top of page
  • Writer's pictureESET Expert

Twitter now lets users set security keys as the only 2FA method

You can now secure your account with a physical security key as your sole 2FA method, without any additional 2FA option

If you’re on Twitter, you can now use a hardware security key as your sole two-factor authentication (2FA) method. While previously the microblogging service allowed users to use a security key as one of several authentication factors, back in March Twitter announced that it would soon allow physical security keys to be used as the sole authentication method. Keeping true to its promise, it has now rolled out the feature for all users who want to double down on their account security.

“Keeping people safe and secure on Twitter is one of our top priorities, and we’re committed to helping people understand the security tools we offer and how to use them. Starting today, people on Twitter have the option to use security keys as their only form of two-factor authentication (2FA), which is the most effective way to keep your Twitter account secure,” reads the blog announcing the feature.

Now security keys can be your one and only two-factor authentication method on mobile and web. Learn more about how security keys can protect your account from attacks: — Twitter Support (@TwitterSupport) June 30, 2021

Using security keys as a 2FA method isn’t novel to Twitter. In 2018 it introduced the option as one of the multiple 2FA methods, but that required users to have another form of 2FA activated as well, with support being initially rolled out to just the web version. The feature was extended to the Android and iOS apps in 2020, and earlier this year the option to register multiple security keys were added as well.

While a common piece of cybersecurity wisdom says that any kind of 2FA is better than none at all, hardware security keys provide more effective safeguards against account takeovers than, particularly SMS-based 2FA. Indeed, authenticator apps have also been in the attackers’ crosshairs.

Nevertheless, it’s especially codes received via text messages that a determined cybercriminal can intercept with relative ease. Also, a bad actor could, for example, divert text messages to another SIM card by conducting a SIM swap attack, which involves impersonating the target and contacting their telecom operator to convince them that the “victim’s phone” was stolen and that they are now using a new SIM.

“Security keys offer the strongest protection for your Twitter account because they have built-in protections to ensure that even if a key is used on a phishing site, the information shared can’t be used to access your account. They use the FIDO and WebAuthn security standards to transfer the burden of protecting against phishing attempts from a human to a hardware device. Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS or verification codes would not,” said Twitter, highlighting the differences.

If you haven’t enabled any 2FA methods on your account just yet, you’d do well to do so immediately by following Twitter’s handy guide. And to avoid your account getting hacked, you can follow our recommendations on how to stay safe and secure on Twitter.


bottom of page