Two-factor authentication is something we should normalize with applications that are prone to hacks and attacks. Twitter has always encouraged users to use 2FA to keep their accounts safe and there are several ways to enable it. Security keys are probably the most secure of those ways, but Twitter still required users to have a second form of 2FA enabled, which is often their mobile number. But now, Twitter is finally allowing security keys to be its only authentication.
Sending a code to your mobile phone number is the most common 2FA method, but not the most secure. It is vulnerable to phishing attacks, hacking, etc., and it is also not ideal for those who want to share their mobile phone numbers with the application or the company. Therefore, the fact that Twitter still required another form of 2FA if it enabled security keys was already a nuisance. But now, finally, those who own security keys, who are probably serious about security, can rest easy, at least when it comes to Twitter.
Twitter posted that security keys “may be your only” 2FA on both mobile devices and the web. For those unfamiliar with security keys, it is a physical device used to “enter” a digital space with 2FA. It is equipped with security standards such as FIDO or WebAuthn and they use protocols to prevent successful phishing attempts. They can differentiate between legitimate and malicious sites to stop the attempt.
Now security keys can be your only two-factor authentication method on mobile devices and on the web.
– Twitter support (@TwitterSupport) June 30, 2021
Security experts have asked users not to make SMS their default 2FA method. While it is still better than having none, users should be aware that those who try to enter an account can hack their SMS or can be used for phishing attacks to gain access to their information. Meanwhile, security keys are considered the most secure as it is a physical hardware device. Twitter said that if the key is lost somehow, they will allow adding a second security key as a backup.
Twitter assures users that they will continue to do everything possible to keep users safe on their platform, regardless of the 2FA method they use. But of course, users have a responsibility to keep their accounts and data safe by using all the security features offered in apps like Twitter whenever possible.