Keeping people safe and secure on Twitter is one of our top priorities, and we’re committed to helping people understand the security tools we offer and how to use them. Starting today, people on Twitter have the option to use security keys as their only form of two-factor authentication (2FA), which is the most effective way to keep your Twitter account secure.
While any form of 2FA is better than no 2FA, physical security keys are the most effective. Security keys are small devices that act like keys to your house. Just as you need a physical key to unlock the door to your home, you need a security key to unlock access to your account. Security keys offer the strongest protection for your Twitter account because they have built-in protections to ensure that even if a key is used on a phishing site, the information shared can’t be used to access your account. They use the FIDO and WebAuthn security standards to transfer the burden of protecting against phishing attempts from a human to a hardware device. Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS or verification codes would not.
Twitter has long encouraged the use of some form of 2FA. In 2018, we added the option to use security keys as one of several 2FA options. However, this initial support only worked for Twitter.com, not the mobile app, and required accounts to have another form of 2FA enabled as well.
In 2019, we upgraded our security key support to use the latest WebAuthn standard, which provides an up-to-date and secure authentication method recognized across the web. We also enabled the ability to use 2FA on a Twitter account without requiring a phone number, allowing people to protect their accounts from SIM-swapping attacks and opening up 2FA to more people. In 2020, we made additional improvements by enabling support for security keys on iOS and Android, in addition to the web. And earlier this year, we added the ability to register multiple security keys on your Twitter account, allowing you to have backup security keys and making it easier for accounts managed by multiple people to enable 2FA with multiple security keys.
Today, we’re adding the option to use security keys as your sole 2FA method — meaning you can enroll one or more security keys as the only form of 2FA on your Twitter account without a backup 2FA method. We know this is important to people because not everyone is able to have a backup 2FA method or wants to share their phone number with us. With this update, we want everyone to feel empowered to enable security keys to better secure their Twitter account.
We’ll continue to make updates and improvements to the ways you can keep your Twitter account secure.
Did someone say … cookies?